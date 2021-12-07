Researchers have found that cybercriminals are distributing viruses that steal credentials to access victims’ cryptocurrency wallets with KMSpico, an activator used for unofficial validation of Microsoft program licenses.

According to research by digital security firm RedCanary, some KMSPico installers over the internet are being compiled and distributed together with the Cryptbot malware. To avoid detection of the threat by security solutions, criminals are passing the activator through the CypherIT encryptor, disguising the malicious agent code and making it difficult to discover.

The CryptBot’s encrypted code. (Image: Reproduction/RedCanary)

This Cryptbot variant, as inferred by RedCanary’s research, is focused on stealing access credentials from various platforms with cryptocurrency digital wallet services. We list them below:

Atomic;

Live Ledger;

Waves Client;

Coinomi;

Jaxx Liberty;

Electron Cash;

Electrum;

Exodus;

Monomer;

MultiBitHD.

In addition to these cryptocurrency wallets, Cryptbot may steal information from the following internet browsers:

Google Chrome;

Mozilla Firefox;

Opera;

Brave;

Vivaldi

cheap can be expensive

KMSPico is an unofficial program used for activating Microsoft products, easily found on the internet. It emulates Windows Key Management Services (KMS) to fraudulently release Office, for example, preventing companies and users from paying the software activation price.

Even with the economy that the program presents, RedCanary recommends the use of KMSpico, since in addition to the ethical and justice problems caused by the use of pirated licenses, the software can still present severe security risks, as demonstrated by the distribution in set with Cryptbot.

If you have used KMSpico and are unsure whether or not you have been infected with Cryptbot, we recommend following the technical explanation in RedCanary’s official threat report on how to detect the virus and then scan the compromised files with a antivirus solution.

Source: RedCanary