Data Stealing Cryptbot Malware Sneaks Onto Machines As Fake Windows Activator Tool

Multiple computer monitors running console and programming applications
Installing pirated software is always risky business. The hacking tools used to bypass legitimate software activation quite frequently include viruses and malware. The latest in a long line of malware piggybacking is a popular activation tool that targets your cryptocurrency wallets.

The threat was first noticed by security analysts at Red Canary. Attackers are reportedly using a fake version of KMSPico to infect Windows machines with malware known as Cryptbot. The tool affected is used to activate the full features of Microsoft Windows and Office products, without actually owning a license key. As Red Canary points out, security tools will usually block KMSPico as a Potentially Unwanted Program (PUP). For this reason, the software usually comes with instructions to disable antivirus and anti-malware software.

That leaves the computer wide open to infection with malware such as Cryptbot. This nasty little piece of malware, according to Red Canary, "harms organizations by stealing credentials and other sensitive information from affected systems". Most of that private data is taken from cryptocurrency-related software.

Most of the software that Cryptbot steals information from are cryptocurrency wallets. Here is a list of applications known to be at risk:

  • Atomic cryptocurrency wallet
  • Ledger Live cryptocurrency wallet
  • Waves Client and Exchange cryptocurrency applications
  • Coinomi cryptocurrency wallet
  • Jaxx Liberty cryptocurrency wallet
  • Electron Cash cryptocurrency wallet
  • Electrum cryptocurrency wallet
  • Exodus cryptocurrency wallet
  • Monero cryptocurrency wallet
  • MultiBitHD cryptocurrency wallet

Red Canary says Cryptbot also tries to get information from web browsers, including Google Chrome, Mozilla Firefox, Opera, Brave, and Vivaldi. Additionally, Cryptbot attempts to siphon information from the CCleaner system management tool.

Detecting a Cryptbot infection is difficult, as the malware uses various methods to mask itself. Attackers sometimes use the CypherIT AutoIT crypter, for example, to obfuscate Cryptbot. Red Canary outlines two possible strategies for locating the malware.

You can search your hard drive for binaries containing AutoIT metadata, but lacking “AutoIT” in the file name. You can also search for PowerShell or cmd.exe deletion commands containing rd /s /q, timeout, and del /f /q together.