Cybersecurity provider Red Canary has warned in a recent blog post that a malicious KMSPico installer is doing the rounds on the internet. This malware-carrying fake installer is capable of stealing user information from various cryptocurrency wallets, among other things. This is made possible with the help of a cryptbot.
Red Canary says that the cryptbot delivered by this malware is capable of collecting information from the following applications:
Atomic cryptocurrency wallet
Avast Secure web browser
Brave browser
Ledger Live cryptocurrency wallet
Opera Web Browser
Waves Client and Exchange cryptocurrency applications
Coinomi cryptocurrency wallet
Google Chrome web browser
Jaxx Liberty cryptocurrency wallet
Electron Cash cryptocurrency wallet
Electrum cryptocurrency wallet
Exodus cryptocurrency wallet
Monero cryptocurrency wallet
MultiBitHD cryptocurrency wallet
Mozilla Firefox web browser
CCleaner web browser
Vivaldi web browser
While there are several browsers on this list, Microsoft"s very own Edge isn"t one of them, sort of validating its recent claim of being better than Chrome, at least in this instance.
KMSPico is an unofficial Windows and Office activator that are used to activate pirated copies of Windows or Office. The tool essentially allows for illicit Windows license circumvention by emulating Mircosoft"s Key Management Services (KMS) activation.
Red Canary also notes that it is not just individuals who use KMSPico to fraudulently activate Windows as the firm says it has also noticed various IT departments using the tool. Hence, a malicious KMSPico is especially dangerous for such situations.
We’ve observed several IT departments using KMSPico instead of legitimate Microsoft licenses to activate systems.
It is also quite easy to fall for a malicious KMSPico as many sites claim themselves as official KMSPico creator as shown in the image below:
The malicious KMSPico also installs the actual KMSPico file itself so that a user of a compromised system may not even suspect anything fishy until it is too late.
The adversaries install KMSPico also, because that is what the victim expects to happen, while simultaneously deploying Cryptbot behind the scenes.
You can find more technical details on the official blog post linked here.