BitRAT malware now spreading as a Windows 10 license activator

March 23, 2022

On March 23, 2022, researchers at AhnLab uncovered a new BitRAT malware distribution campaign. In this scheme, threat actors are disguising BitRAT as a Windows 10 Pro license activator and distributing it through webhards—online storage services popular in South Korea. These platforms attract significant traffic via direct download links shared on social media and Discord, making them an appealing medium for malware distribution.

Indicators of a Korean Origin

The actor behind this campaign appears to be Korean, as evidenced by Korean characters in code snippets and the localized method of distribution. This aligns with the trend of threat actors leveraging webhards, which are widely used in the region, for malware delivery.

How the Campaign Targets Users

Exploiting Licensing Needs

To properly use Windows 10, users must activate a license with Microsoft. While free upgrade options exist for users with valid Windows 7 licenses, many turn to unofficial activators to bypass licensing issues. These pirated activators often contain malware, a tactic exploited by threat actors in this campaign.

Malicious Executable

The malicious file, named ‘W10DigitalActiviation.exe’, presents itself as a legitimate tool to activate Windows. It features a simple GUI with a button labeled “Activate Windows 10.”

Malware Delivery and Execution

Download and Installation

Instead of activating a Windows license, the fake activator downloads BitRAT malware from a hardcoded command-and-control (C2) server operated by the threat actors.

  • Payload Download: The malware is downloaded and saved in %TEMP% as ‘Software_Reporter_Tool.exe.’
  • Startup Persistence: The malware is added to the Startup folder to ensure it runs automatically upon system boot.

Avoiding Detection

The downloader takes additional steps to avoid detection:

  • Windows Defender Exclusions: The tool adds exclusions to Windows Defender, preventing BitRAT from being flagged as a threat.
  • Self-Deletion: After installing BitRAT, the downloader deletes itself, leaving no trace of its activity aside from the installed malware.

Implications and Mitigation

This campaign highlights the dangers of using pirated software and unofficial tools. Users seeking free activators expose themselves to severe risks, including malware infections like BitRAT.

To mitigate these risks:

  • Avoid Pirated Software: Always obtain software and licenses from legitimate sources.
  • Use Updated Security Solutions: Ensure antivirus software, like Windows Defender, is updated and properly configured.
  • Monitor Suspicious Behavior: Be cautious of software requiring administrative privileges or exclusions in antivirus settings.

Conclusion

This BitRAT campaign demonstrates the sophistication of threat actors in exploiting regional habits and licensing loopholes. By leveraging webhards and mimicking legitimate tools, attackers maximize their reach while minimizing detection. Users must remain vigilant and prioritize safe practices when handling software downloads and licensing issues.

Subscribe