A tool hidden in the “piracy” Windows-enabled software KMSPico can collect data from crypto wallets on users’ computers.
As reported by security company Red Canary , the CryptBot tool was discovered hidden in many KMSPico software suites on the Internet. CryptBot being installed on the machine can collect information of series for electronic money as Electrum, Monero, Exodus … and browsers like Chrome, Firefox, Opera. If the hacker gets access information, the hacker can take control of the wallet, thereby stealing the user’s cryptocurrency.
When analyzing CryptBot, the researchers found that the malicious code was designed to evade detection by anti-virus programs. They can even recognize the computer simulation environment of researchers to hide themselves. They only detect malicious code when they execute PowerShell commands or connect to the network to the outside.
CryptBot is spread through many methods, of which KMSPico is one of the popular methods recently. KMSPico is a Windows activation tool to use illegally, instead of buying a license from Microsoft .
This tool is being shared widely on the Internet. When searching with the keyword “kmspico”, users get millions of results. However, in it, many websites share fake software and contain dangerous malicious code. In some cases, CryptBot was renamed to pretend to be KMSPico and lure users to download it, the researchers said. In some other cases, CryptBot is hidden in the KMSPico file and silently installed on the computer without the victim knowing.
According to Bleeping Computer , saving money by using pirated Windows is a bad idea. “If something goes wrong, gets hit by ransomware or gets stolen with crypto, the amount of damage will be much greater than the cost of buying Windows and Office licenses.”