KMSPico is one of the most popular developments for “activating” licenses for Microsoft products such as Windows operating systems and Office suites. It is illegal, of course, but it works very well in its hacking task … as long as it does not come with a ‘prize’ as our very security colleagues alert us.
KMSPico is a cracker that emulates a server from the Windows Key Management Services (KMS) to activate Windows or Office licenses. It can be found on separate websites, forums, or torrent networks or bundled with the hacked products. Microsoft does not seem very concerned about its use in consumption under the (unstated) strategy that it is always better that you use a pirated Windows before you switch to Linux or macOS or that you install a pirated Office before LibreOffice. It also offers specific offers for pirates …
This is the only way to understand the massive availability of this pirated software, which according to Red Canary, is also used in companies and in many IT departments. It is something that has been talked about a lot and is part of another story. The one that concerns us is about the use of Modified installers to distribute malware, something that cybercriminals do insistently by taking advantage of any high-demand software or service.
KMSPico to distribute malware
From the security firm Red Canary they have alerted of a fake KMSPico installer that is circulating on the Internet. It is altered to infect Windows computers, is capable of inserting malware and performing malicious activities such as theft of cryptocurrency wallets.
The malicious development is delivered in a self-extracting executable under 7-Zip that includes and installs the real KMS emulator so that the victim is not suspicious. But behind, the real intention is to install Cryptobot, a Trojan specialized in stealing the credentials and sensitive information of a list of applications that millions of users use, especially web browsers and cryptocurrency wallets such as:
- Avast Secure
- Ledger Live
- Opera Web
- Waves Client and Exchange
- Google Chrome
- Jaxx liberty
- Electron Cash
- Mozilla Firefox
Malware uses the packager CypherIT which obfuscates the installer to prevent the installed security software from detecting it. It also launches a hidden script capable of detecting sandbox environments and AV emulation. Cryptbot operations as they are not based on the existence of unencrypted binaries on disk and their detection only possible by monitoring malicious behaviorsuch as running PowerShell commands or external network communication.
Hence, it is not easy to detect what adds a greater danger to this modified KMSPico. More information | Red Canary