A different BitRAT malware distribution effort is underway, targeting people who want to exploit unauthorized Microsoft license activators to activate unlicensed Windows OS versions for free. BitRAT is a potent remote access trojan that can be purchased for as little as $20 (lifetime access) on cybercrime forums and dark web markets. As a result, each buyer has their malware dissemination strategy, which may include phishing, trojanized software, or watering holes.
In a new BitRAT malware distribution operation identified by AhnLab researchers, threat actors deliver BitRAT malware as a Windows 10 Pro license activator on webhards. Based on some Korean characters in the code samples and how it was distributed, the actor behind the current BitRAT campaign looks Korean. To use Windows 10, you must first acquire and activate a Microsoft license. Even though there are ways to get Windows 10 for free, you must have a valid Windows 7 license. Those who don’t want to deal with licensing concerns or don’t have a license to update frequently resort to pirating Windows 10 and employing unapproved activators, many of which are infected with malware.
In this campaign, ‘W10DigitalActiviation.exe’ is the malicious file presented as a Windows 10 activator, and it has a basic GUI with a button to “Activate Windows 10.” Instead of activating the Windows license on the host machine, the “activator” will download malware from a threat actors’ hardcoded command and control server. The retrieved payload is BitRAT, installed as ‘Software_Reporter_Tool.exe’ in %TEMP% and appended to the Startup folder. The downloader also includes exclusions for Windows Defender to guarantee that BitRAT is not detected. When the malware installation process is finished, the downloader deletes itself from the system, leaving just BitRAT behind.
BitRAT is marketed as a robust, low-cost, and adaptable malware that can steal a lot of sensitive data from the host, launch DDoS attacks, and circumvent user authentication, among other things. BitRAT includes features such as keylogging, clipboard monitoring, camera access, audio recording, credential theft through web browsers, and XMRig currency mining. It also includes remote control for Windows devices, hidden virtual network computing (hVNC), and SOCKS4 and SOCKS5 reverse proxy (UDP). ASEC’s investigators discovered considerable code similarities between TinyNuke and its derivative, AveMaria (Warzone), on this front. The RATs’ hidden desktop capability is so significant that some hacking organizations, such as the Kimsuky, have included them in their arsenal only to use the hVNC tool.
Even though the legal and ethical elements are overlooked, using pirated software is always a security risk. The more methods used to activate illegally obtained versions of software or breach their intellectual property protection systems, the more likely a severe malware infection will result. Those who cannot buy a Windows license should consider other choices, such as accepting the limits of the free version, keeping an eye out for special deals from reputable platforms, or switching to Linux. Finally, users should avoid allowing license activators or any other unsigned executable created and distributed by unknown providers to operate on their systems.
