A data thief program that attacks cryptocurrency wallets was found in the KMSPico activator for pirated Microsoft Windows and Office.
Cybersecurity company Red Canary writes about the emergence of a new malware Cryptbot, which threatens the owners of cryptocurrency wallets. Through the KMSPico program, which is used to activate all functions of unlicensed Microsoft Windows and Office programs, the virus infects the devices of its victims.
Cryptbot reaches the victim’s device when the KMSPico cracker is activated, during which the user downloads malware from the link. The virus collects confidential user data, including for access to cryptocurrency wallets: Atomic, Ledger Live, Coinomi, Jaxx Liberty, Electron Cash, Electrum, Exodus, Monero, MultiBitHD and Waves cryptocurrency applications – Client and Exchange.
Cryptbot is the next stage in malware like Yellow Cockatoo and Jupyter. According to Red Canary experts, criminals use CypherIT and AutoIT ransomware to hide the traces of Cryptbot on victims’ devices.
To detect the virus, the company recommends looking for binaries that contain AutoIT metadata but do not contain AutoIT in their filenames. AutoIT processes making external network connections are discovered using commands like “findstr / V / R” ^… $ “.
To detect Cryptbot, experts recommend using the PowerShell or cmd.exe commands containing “rd / s / q, timeout, and del / f / q together”.
In April, Kaspersky Lab specialists published a report on the new Cring ransomware virus, whose operators exploit a vulnerability in older versions of Fortinet VPN gateways. In early March, a ProxyLogon vulnerability was discovered in Microsoft Exchange mail servers, allowing arbitrary code execution. With its help, hackers spread the Black Kingdom ransomware virus. In 2020, computer security specialists from Palo Alto Networks Unit 42 discovered a new botnet, PgMiner, that attacks PostgreSQL databases to extract the anonymous cryptocurrency Monero.
