BitRAT malware now spreading as a Windows 10 license activator

In a new BitRAT malware distribution campaign discovered by researchers at AhnLab, threat actors are distributing the malware as a Windows 10 Pro license activator on webhards.
Webhards are online storage services popular in South Korea that have a steady influx of visitors from direct download links posted on social media platforms or Discord.
Due to their wide use in the region, threat actors are now more commonly using webhards to distribute malware.

The actor behind the new BitRAT campaign appears to be Korean based on some of the Korean characters in the code snippets and the manner of its distribution.
To properly use Windows 10, you need to purchase and activate a license with Microsoft.
While there are ways to get Windows 10 for free, you still need a valid Windows 7 license to get the free upgrade.

Those who do not want to deal with licensing issues or do not have a license to upgrade commonly turn to pirating Windows 10 and using unofficial activators, many of which contain malware.

In this campaign, the malicious file promoted as a Windows 10 activator is named ‘W10DigitalActiviation.exe’ and features a simple GUI with a button to “Activate Windows 10.”
However, instead of activating the Windows license on the host system, the “activator” will download malware from a hardcoded command and control server operated by the threat actors.

The fetched payload is BitRAT, installed in %TEMP% as ‘Software_Reporter_Tool.exe’ and added to the Startup folder. The downloader also adds exclusions for Windows Defender to ensure that BitRAT won’t encounter detection issues.
Once the malware installation process is completed, the downloader deletes itself from the system leaving behind only BitRAT.

Sign Up For Threat Alerts

Loading...
Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...

Threats Icon

Jul 24, 2022

Redeemer Ransomware

Redeemer 2.0 Being Distributed Via Affiliate Program Cyble Research Labs has constantly been tracking emerging...

Threats Icon

Jul 21, 2022

Cobalt Strikes again: UAC-0056 continues to target...

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that...

Threats Icon

Jul 20, 2022

Trello From the Other Side: APT29 Phishing...

Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic...

Threats Icon

Jul 18, 2022

New OrBit Linux Malware That Hijacks Execution...

New and entirely undetected Linux threat dubbed OrBit, signally a growing trend of malware attacks...

Threats Icon

Jul 18, 2022

North Korean threat actor targets small and...

A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks...

Threats Icon

Jul 13, 2022

ChromeLoader – New Stubborn Malware Campaign

A new browser hijacker/adware campaign named ChromeLoader (also known as Choziosi Loader and ChromeBack) was...

Threats Icon

Jul 13, 2022

Raspberry Robin Worm Abuses Windows Installer and...

The Cybereason team is investigating a series of recent infections with the Raspberry Robin campaign,...