CATEGORIES
home News

Data Stealing Cryptbot Malware Sneaks Onto Machines As Fake Windows Activator Tool

by Jeff ButtsTuesday, December 07, 2021, 03:43 PM EDT

Multiple computer monitors running console and programming applications
Installing pirated software is always risky business. The hacking tools used to bypass legitimate software activation quite frequently include viruses and malware. The latest in a long line of malware piggybacking is a popular activation tool that targets your cryptocurrency wallets.

The threat was first noticed by security analysts at Red Canary. Attackers are reportedly using a fake version of KMSPico to infect Windows machines with malware known as Cryptbot. The tool affected is used to activate the full features of Microsoft Windows and Office products, without actually owning a license key. As Red Canary points out, security tools will usually block KMSPico as a Potentially Unwanted Program (PUP). For this reason, the software usually comes with instructions to disable antivirus and anti-malware software.

That leaves the computer wide open to infection with malware such as Cryptbot. This nasty little piece of malware, according to Red Canary, "harms organizations by stealing credentials and other sensitive information from affected systems". Most of that private data is taken from cryptocurrency-related software.

Most of the software that Cryptbot steals information from are cryptocurrency wallets. Here is a list of applications known to be at risk:

  • Atomic cryptocurrency wallet
  • Ledger Live cryptocurrency wallet
  • Waves Client and Exchange cryptocurrency applications
  • Coinomi cryptocurrency wallet
  • Jaxx Liberty cryptocurrency wallet
  • Electron Cash cryptocurrency wallet
  • Electrum cryptocurrency wallet
  • Exodus cryptocurrency wallet
  • Monero cryptocurrency wallet
  • MultiBitHD cryptocurrency wallet

Red Canary says Cryptbot also tries to get information from web browsers, including Google Chrome, Mozilla Firefox, Opera, Brave, and Vivaldi. Additionally, Cryptbot attempts to siphon information from the CCleaner system management tool.

Detecting a Cryptbot infection is difficult, as the malware uses various methods to mask itself. Attackers sometimes use the CypherIT AutoIT crypter, for example, to obfuscate Cryptbot. Red Canary outlines two possible strategies for locating the malware.

You can search your hard drive for binaries containing AutoIT metadata, but lacking “AutoIT” in the file name. You can also search for PowerShell or cmd.exe deletion commands containing rd /s /q, timeout, and del /f /q together.

Tags:  Malware, Windows, Piracy, Microsoft-Office, cryptocurrency, cryptbot
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment