Cryptocurrency-stealing virus detected in KMSpico activator for pirated Windows

The cybersecurity company Red Canary has provided guidance on identifying Cryptbot

10.12.2021 - 12:10

499

1 min

What’s new? A virus has been detected in KMSPico's Microsoft Windows and Office activation software, which collects the users' personal data. The attackers use the Cryptbot virus to steal cryptocurrency among other things, according to the cybersecurity company Red Canary.

The Red Canary article

How does the virus work? Cryptbot has been around for a long time, now the hackers have begun disguising it as the KMSPico activator installer. By clicking on the download link, the user downloads the virus and at the same time, the program installs the activator itself. The attackers disguise Cryptbot with the CypherIT AutoIT encryption software. The virus steals the personal data from the users' web browsers, antivirus software, and crypto wallets.

How to detect the malware? Red Canary recommends searching for binaries containing AutoIT metadata but without AutoIT in the file names, namely, findstr commands similar to “findstr /V /R "^ ... $.”

PowerShell or cmd.exe commands containing “rd /s /q, timeout, and del /f /q together” are used to find Cryptbot.

Author: