Cryptbot and KMSPico: A spicy combination

To track this Cryptbot informationstealer, you can combine behavior-based and signature detection.
Digital piracy is a dangerous lifestyle choice due to the many exploits that are used to activate paid features and disreputable sources of cracked software. Many systems have been infected by malware because they were installed crack software, which users assumed was legitimate. One recent case was one in which we found a system infected with Cryptbot malware to steal passwords. We traced the infection back to a fake version of KMSPico. This article explains what KMSPico means and how it relates with Cryptbot. To supplement the information here, we included the malware analysis for KMSPico in an additional PDF kmspico.
What is KMSPico?
KMSPico allows you to activate all features of Microsoft Windows and Office without having to own a license key. It uses Windows Key Management Services, which is a legitimate technology that allows you to license Microsoft products across multiple enterprise networks. In normal circumstances, legitimate KMS licensing allows enterprises to install a KMS server at a central location and to configure clients to communicate to it using Group Policy Objects. KMSPico on the other hand emulates a KMS Server locally on the affected system in order to fraudulently activate an endpoint’s license.
Even if KMSPico hasn’t been contaminated with malware, it is not legal software. If someone does get the actual installer, it is only for license circumvention. Multiple antimalware vendors have identified license circumvention software (PUP ) as a potentially undesirable program (PUP ). KMSPico is often distributed along with disclaimers and instructions for disabling antimalware products prior to installation. The disabling instructions can make it difficult to find a clean download and could lead to malware being delivered to unwitting victims.
We have seen IT departments use KMSPico to activate their systems instead of using legitimate Microsoft licenses. We even had an incident response engagement in which our IR partner couldn’t resolve one environment because the organization didn’t have a valid Windows license. KMSPico, and other non-official KMS activaters, circumvent Microsoft licenses. They pose a serious risk to organizations. Microsoft only supports legitimate activation of Windows.
The stowaway, the cryptbot thief
Cryptbot is a well-known adversary that has been able to deploy it via various methods. It also harms organizations by stealing sensitive information from the systems. It has also been known to be deployed using fake “cracked”, and this time it is particularly dangerous, posing as KMSPico. Clicking one of the malicious links will infect the user and they’ll download KMSPico, Cryptbot or other malware. Because the victim expects that KMSPico will be installed, the adversaries also install Cryptbot behind-the-scenes.
Cryptbot can collect sensitive information from these applications:
- Atomic cryptocurrency wallet
- Avast Secure web browser
- Brave browser
- Ledger Live cryptocurrency wallet
- Opera Web Browser
- Waves Client and Exchange cryptocurrency apps
- Coinomi cryptocurrency wallet
- Google Chrome web browser
- Jaxx Liberty cryptocurrency wallet
- Electron Cash cryptocurrency wallet
- Electrum cryptocurrency wallet
- Exodus cryptocurrency wallet
- Monero cryptocurrency wallet
- MultiBitHD cryptocurrency wallet
- Mozilla Firefox web browser
- CCleaner is a web browser
- Vivaldi web browser
Behavioral detection shores up signature-based detection
Cryptbot’s distribution continues the trend we saw in latest threats, like Yellow Cockatoo/Jupyter. To thwart signature-based tools like antivirus and YARA rules, adversaries continue to use crypters, packers, and other evasion methods. These threats become more complicated due to their complexity. Adversaries must make the same effort to remove the same obfuscation once they have delivered the malware. Behavior-based detection shines during this delivery and obfuscation process and closes gaps on malicious activity that might otherwise be missed.
The adversary used CypherIT AUTOIT crypter to obscure Cryptbot. There were no cleartext Cryptbot binary files on disk. We could still detect the threat despite the obfuscation by targeting the behaviors that delivered the malware and deobfuscated it. The following detection strategies were helpful in detecting this threat.
Conclusion
The life of a pirate is not the same as ours, especially with cracked software. KMSPico is license-circumvention software that can be spoofed in a variety of ways, and in this case a malicious version led to an interesting Cryptbot infection designed to steal credentials. You can save yourself the hassle and use supported, legitimate activation methods.