CryptBot within KMSPico Trojan

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 10:31, 14 September 2023 by Azoundria (talk | contribs) (Another 30 minutes complete. Additional sources merged in. Prevention completed. Information moved around.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

CryptBot Logo/Source Code

CryptBot malware can commonly be downloaded when pirating software, such as Windows license circumvention. Once downloaded, the software will report information from multiple programs including common cryptocurrency wallets. While multiple victims have lost funds, it's unclear how much was lost. No funds appear to be recovered.

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]

About KMSPico

"KMSPico is a tool used to activate the full features of Microsoft Windows and Office products without actually owning a license key. It takes advantage of Windows Key Management Services (KMS), a legitimate technology introduced to license Microsoft products in bulk across enterprise networks. Under normal circumstances, enterprises using legitimate KMS licensing install a KMS server in a central location and use Group Policy Objects (GPO) to configure clients to communicate with it. KMSPico, on the other hand, emulates a KMS server locally on the affected system to fraudulently activate the endpoint’s license."

"Since the KMSPico installer leverages Windows Key Management Services (KMS)—a legitimate technology used for bulk licensing across enterprise networks—some IT departments that actually had legitimate licenses reportedly used the illicit tool to activate their systems, inadvertently corrupting their systems with Cryptbot."

"Even when KMSPico isn’t tainted with malware, it’s not legitimate software either. In the best cases when someone gets the real installer, it’s only used for license circumvention. Since multiple antimalware vendors detect license circumvention software as a potentially unwanted program (PUP), KMSPico is often distributed with disclaimers and instructions to disable antimalware products before installing. Alongside the difficulty in finding a clean download, the disabling instructions prepare unwitting victims to receive malware."

About CryptBot

CryptBot is being distributed through websites disguised as software download pages[19]. These websites often appear in search engine results when users search for cracks and serials of popular commercial software, leading to many unwittingly downloading and running the software[19].

"Cryptbot combines complex evasion techniques and a rather simple social-engineering based distribution strategy to produce an interesting method of attack that manages to stay relatively hidden."

"CryptBot is distributed through websites [providing] software download pages. [T]here are multiple websites created and many of them appear on the top page when keywords such as cracks and serials of popular commercial software are entered in search engines[.]"

"Over its year of activity, it has been [provided with] an installer of a free VPN application and as an installer of legitimate commercial software. Delivered either by itself or bundled with other applications. For example, users looking for cracked versions of PhantomPDF editor, Adobe Illustrator or Malwarebytes AV have found themselves installing [CryptBot] instead of their preferred programs. The sample we’ve encountered claimed to be an installer for the Glary Utilities suite that consists of several utilities for Windows optimization and cleanup."

The Reality

CryptBot is a "typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2." "In this latest campaign, Cryptbot is delivered as a Trojan malware. Consistent with the ancient trojan horse, the info-stealer hides within legitimate software in order to be installed by its victims."

"Cryptbot, an infostealer that takes victims’ cryptocurrency wallet and account credentials, was the most prolific malware family in the group, raking in almost half a million dollars in pilfered Bitcoin. Another prolific family is QuilClipper, a clipboard stealer or “clipper,” ranked eighth on the graph above. Clippers can be used to insert new text into the “clipboard” that holds text a user has copied, usually with the intent to paste elsewhere. Clippers typically use this functionality to detect when a user has copied a cryptocurrency address to which they intend to send funds — the clipper malware effectively hijacks the transaction by then substituting an address controlled by the hacker for the one copied by the user, thereby tricking the user into sending cryptocurrency to the hacker."

"Cryptbot is capable of collecting sensitive information from Atomic cryptocurrency wallet, Avast Secure web browser, Brave browser, Ledger Live cryptocurrency wallet, Opera Web Browser, Waves Client and Exchange cryptocurrency applications, Coinomi cryptocurrency wallet, Google Chrome web browser, Jaxx Liberty cryptocurrency wallet, Electron Cash cryptocurrency wallet, Electrum cryptocurrency wallet, Exodus cryptocurrency wallet, Monero cryptocurrency wallet, MultiBitHD cryptocurrency wallet, Mozilla Firefox web browser, CCleaner web browser, and Vivaldi web browser."

In another attack, a "cyberthreat actor created a web site that promotes a fake VPN program that installs the Vidar and CryptBot password-stealing trojans." "When the trojans are downloaded, they will be executed and being to collect various information from the computer that will be uploaded to the attacker. This information includes saved browser credentials, cookies, screenshot of the desktop, text files, cryptocurrency wallets, and much more."

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - CryptBot within KMSPico Trojan
Date Event Description
August 8th, 2021 7:15:22 PM MDT Malware.news Update Provided Malware.news reports on the CryptBot malware[19].
December 7th, 2021 3:48:23 AM MST Tom's Hardware Article Tom's Hardware provides a news article discussing hackers using the Cryptbot malware and hiding it within a popular utility called KMSPico, which is used to activate Microsoft Windows and Office products without a legitimate license key. The malware is designed to steal sensitive information, particularly from cryptocurrency-related software and web browsers, making crypto enthusiasts prime targets. Red Canary recommends avoiding downloading KMSPico to protect against this threat[20].
December 9th, 2021 2:06:16 AM MST D1SoftBallNews Article D1SoftBallNews provides a report about the CryptoBot malware being hidden in the popular KMSPico utility[18].

Technical Details

The CryptoBot malware uses SFX packing, making it challenging to distinguish between normal and malicious files, and its code changes frequently[19].

When executed, CryptBot creates various folders and files with different names in the %temp% path and runs a BAT script. This script changes periodically, allowing attackers to modify it easily[19]. The script copies an Autoit executable and script, decrypts an encrypted CryptBot binary, and runs it[19].

The CryptBot binary scans for directories of certain anti-malware products, delays execution to bypass detection, and self-deletes if it detects duplicate execution or an already infected system[19]. It collects a wide range of user information, including browser data, saved passwords, cryptocurrency wallet information, and system details[19]. This data is compressed, password-protected, and sent to a command and control server (C2). The malware may also download additional malware, such as ClipBanker types[19].

Users need to exercise caution as this malware can lead to the leakage of confidential information, potentially resulting in secondary damages. AhnLab's V3 anti-malware software detects and blocks this malware using various aliases[19].

Indicators of Compromise (IOCs) associated with CryptBot include C2 URLs and file hashes[19].


Hackers have hidden the Cryptbot malware in a modified version of a popular piracy tool called KMSPico. KMSPico is often used to activate Microsoft Windows and Office products without a valid license key. Security tools typically block KMSPico, so users are often instructed to disable these protections, leaving their systems vulnerable to malware[18].

Cryptbot is designed to steal credentials and sensitive information from affected systems, with a particular focus on cryptocurrency-related software such as wallets for various cryptocurrencies. Some of the targeted wallet software includes Atomic, Ledger Live, Waves Client, Coinomi, Jaxx Liberty, Electron Cash, Electrum, Exodus, Monero, and MultiBitHD. Additionally, Cryptbot attempts to steal data from web browsers like Google Chrome, Mozilla Firefox, Opera, Brave, and Vivaldi, as well as the system management tool CCleaner.[18]

To protect against this threat, it is advisable not to download KMSPico or other similar piracy tools in the first place[18]. Instead, users should opt for legitimate and supported activation methods to avoid potential malware infections[18].


Software can be expensive, leading some individuals to resort to pirating applications instead of purchasing legitimate licenses[20]. However, this practice can lead to various problems. Recently, Red Canary reported that a group of hackers distributed a modified version of a popular piracy tool on the internet to infect systems with the Cryptbot malware[20].

The tool in question is called KMSPico, which, according to Red Canary, is used to "activate all the features of Microsoft Windows and Office products without actually owning a license key." Security tools usually block KMSPico, and instructions are often provided to disable these protections, leaving systems vulnerable to malware[20].

This brings us to Cryptbot[20]. Red Canary stated that Cryptbot "harms organizations by stealing credentials and other sensitive information from affected systems." The company mentioned that much of this private data is taken from cryptocurrency-related software, including wallets like Atomic, Ledger Live, Waves Client And Exchange, Coinomi, Jaxx Liberty, Electron Cash, Electrum, Exodus, Monero, and MultiBitHD[20].

Red Canary also mentioned that Cryptbot attempts to steal information from web browsers such as Google Chrome, Mozilla Firefox, Opera, Brave, and Vivaldi, as well as the system management tool CCleaner[20]. The extensive list of wallet software targeted by Cryptbot suggests that crypto enthusiasts are high-value targets[20].

Total Amount Lost

The total amount lost is unknown.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

The majority of CryptBot installations happen due to downloading pirated software, and it's commonly detected by most anti-malware software. For the highest security, always store funds offline when not in use, and test any new wallet or environment with a small amount of funds prior to any large transfer or wallet setup.

It's essential for users to be vigilant and avoid downloading software cracks and serials from suspicious websites to protect against such threats. "Most pirated software available with their installers, keygens and cracks are binary files that are veritable “black boxes” for the majority of users. Thus, when installing pirated software, we never know what hides behind the executable."

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

Most cryptocurrency users should be storing their funds offline whenever possible. There's no reason to have a large amount of funds on an online wallet for any extended period of time. Using a separate computer or device for cryptocurrency transactions is a good idea.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The primary issue is user education. Users need to know that storing funds online is a poor idea, and be educated on how to protect their computers against malware. In the event of a breach, having an industry insurance fund provides the best chance of any relief or assistance, since most commercial insurance policies wouldn't even touch this situation.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

The primary issue is user education. Users need to know that storing funds online is a poor idea, and be educated on how to protect their computers against malware. In the event of a breach, having an industry insurance fund provides the best chance of any relief or assistance, since most commercial insurance policies wouldn't even touch this situation.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Fake KPSPico Windows activator tool KPSPico steals crypto wallet data (Jan 26, 2022)
  2. Meet the Malware Families Helping Hackers Steal and Mine Millions in Cryptocurrency - Chainalysis (Jan 29, 2022)
  3. CryptBot (Malware Family) (Jan 30, 2022)
  4. 40,000 CryptBot Downloads per Day | G DATA (Jan 30, 2022)
  5. Fake VPN Site Pushes CryptBot and Vidar Info-Stealing Trojans (Jan 30, 2022)
  6. KMSPico and Cryptbot: A spicy combo - Red Canary (Jan 30, 2022)
  7. https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf (Jan 30, 2022)
  8. Cryptbot: How Free becomes a High Price to Pay (Jan 30, 2022)
  9. CryptBot Trojan - Malware removal instructions (updated) (Jan 30, 2022)
  10. Hackers Are Disguising Cryptbot Malware as a Windows Activator | Tom's Hardware (Jan 30, 2022)
  11. MalwareBazaar | Browse malware samples (Jan 30, 2022)
  12. Spyware.CryptBot — How To Fix Guide (Jan 30, 2022)
  13. Data Stealing Cryptbot Malware Sneaks Onto Machines As Fake Windows Activator Tool | HotHardware (Jan 30, 2022)
  14. Windows Software Pirates Are Losing Their Bitcoin to Cryptbot Malware - Decrypt (Jan 30, 2022)
  15. @redcanary Twitter (Jan 30, 2022)
  16. Cryptbot Stealer Removal Report (Jan 30, 2022)
  17. Cyber threat alert: Pay for Windows or face the wrath of Cryptbot malware | Windows Central (Jan 30, 2022)
  18. 18.0 18.1 18.2 18.3 18.4 18.5 Hackers hide Cryptbot malware in a popular utility - D1SoftballNews.com Archive December 9th, 2021 2:06:16 AM MST (Jan 30, 2022)
  19. 19.00 19.01 19.02 19.03 19.04 19.05 19.06 19.07 19.08 19.09 19.10 CryptBot Infostealer Constantly Changing and Being Distributed - Malware Analysis - Malware Analysis, News and Indicators (Jan 30, 2022)
  20. 20.0 20.1 20.2 20.3 20.4 20.5 20.6 20.7 Hacker nascondono il malware Cryptbot in una popolare utility - TomsHW.it (Sep 14, 2023)

Cite error: <ref> tag with name "cryptbot-6108" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=CryptBot_within_KMSPico_Trojan&oldid=5016"