BitRAT malware is now spreading as a license activator for the Windows 10 operating system

Posted by

Cybersecurity experts AhnLab have reported the spread of BitRAT malware disguised as a Windows 10 license activation tool. The malicious application, apparently from North Korea, is literally opening the door to hackers.

Users can download the malicious application in an encrypted compressed file Program.zippassword protected 1234. Inside the package is alleged Windows 10 license verification tool with name W10DigitalActivation.exe.

The principle of attack

It is a self-extracting archive created in the 7-Zip application, which contains a real authentication tool called W10DigitalActivation.msi and malware in a file named W10DigitalActivation_Temp.msi. When a user runs one of the files, they are both installed at the same time.

Because both the malware and the verification tool are running at the same time, the user is deceived and thinks that the program is working and doing what he expects of it. However, the harmful part in the meantime it starts downloading additional malware in the background and connects to the control serverfrom which attackers can send commands – such as links to other downloads.

The program then installs the malware so that it starts automatically with the system, and then removes itself. Typically, BitRAT malware is installed in a folder specified by a system variable % TEMP% as a file Software_Reporter_Tool.exe.

Computer control

It must be stated that the malicious program is relatively well developed. For example, it adds the folder that contains automatically running files to Windows Defender antivirus exceptions, effectively preventing detection.

Because BitRAT is a RAT (remote access trojan), an attacker could gain control of an infected device. BitRAT provides not only basic functions such as running tasks, processes, services, files and remote commands, but also other options such as information theft, remote desktop access, cryptocurrency mining or misusing a device as a proxy server.

Analysts believe that the authors of the malware come from North Korea. This leads them to the discovery that it uses WebHard storage – the most used file sharing platform in Korea. In addition, it contains Korean characters in its code.

Source link

Leave a Reply

Your email address will not be published.