Software pirates targeting a free copy of Microsoft Windows have run into malware-tainted “activation tools” that clean out their crypto wallets entirely.
Red Canary reported via PC World that the source of the infections is traced back to a fake KMSPico installer. This is a tool used by pirates to activate a pirated copy of Microsoft Windows and Office products despite them not owning a license or product activation key of any sort. This would usually enable them to use their copies as though they’re legitimate.
The unwritten rule around this activation tool is to disable one’s antivirus as security tools usually end up blocking the KMSPico tool since they flag them as a Potentially Unwanted Program (PUP). This enables the Cryptbot to wreak havoc on the system.
Once it activates, the Cryptbot scans for any traces of credentials and sensitive information, including crypto wallets. There is an extensive list of cryptocurrencies that are at the moment facing a huge risk from the malware-tainted tool, including Electrum, Monero, Exodus, and Ledger Live, not to mention other applications like browsers such as Chrome, Firefox, Brave, and Opera.
The KMSPico installer harbors a Windows Key Management Services or KMS, which is a legit technology used to license products in bulk, and as a result, had some IT departments face the issue of inadvertently corrupting their systems with the Cryptbot despite having a legitimate license.
Since crypto offers lucrative rewards for anyone dealing in it, it has unfortunately become a target of malware over the years. Various schemes like crypto-mining malware tying up system resources to fraud crypto apps that attempt to steal users’ private keys are a couple of dangerous examples.
Regarding the KMSPico installer that’s infected with malware, this is a cautionary development for anyone wishing to take a shortcut to enjoy a Windows product instead of paying for an official license, as it can end horribly for them.