Tuesday, June 25, 2024

Beware of Fake KMSPico Activators that Deliver Vidar Stealer Malware

Researchers detected an attack involving a fake KMSPico activator tool, which delivered Vidar Stealer through several events.

The attack leveraged Java dependencies and a malicious AutoIt script to disable Windows Defender and decrypt the Vidar payload via the shellcode.

The user performed a web search for KMSPico and browsed to the top result (kmspico[.]ws), which is marketed as a “universal activator” for Windows but appears to no longer be maintained.

The site is hosted behind Cloudflare Turnstile and requires human input to download the final Zip package, a tactic to hide the page and final payload from automated web crawlers.

fake KMSPico activator
fake KMSPico activator

The Malicious Package

The ZIP archive contains Java dependencies and the malicious executable Setuper_KMS-ACTIV.exe.

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

Upon launching the executable, javaw.exe starts, disabling behavior monitoring in Windows Defender and dropping the malicious AutoIt script named “x” along with AutoIt named Flour.pif.

AutoIt named Flour.pif.
AutoIt named Flour.pif.

The AutoIt script contains the encrypted Vidar payload that will be injected into the current running AutoIt process.

The shellcode is responsible for decrypting the Vidar payload using the RC4 decryption algorithm, which is obfuscated by a hardcoded key in the malicious AutoIt script.

malicious AutoIt script.
malicious AutoIt script.

The Command and Control Infrastructure

Vidar Stealer uses Telegram for the Dead Drop Resolver (DDR) to store the C2 IP address.

Dead Drop Resolver (DDR) to store the C2 IP address
Dead Drop Resolver (DDR) to store the C2 IP address

Threat actors use a dead drop resolver to host command and control (C2) information on legitimate external web services. They embed and often obfuscate domains or IP addresses within content posted on sites and popular applications such as Telegram and Stealer, thus concealing the C2 infrastructure.

The Response

eSentire’s 24/7 SOC Cyber Analysts team isolated the affected host and notified the customer of suspicious activities, providing additional support and remediation.

This incident reminds us that malware-laden applications, particularly greyware piracy tools, are hidden in plain sight among web search results. It stresses the importance of user awareness to guard against such threats.

Using a fake KMSpico activator tool as a malware delivery vector highlights the importance of avoiding illegal software activators and ensuring that all software is obtained from legitimate sources.

The attack, which leveraged Java dependencies and a malicious AutoIt script to disable Windows Defender, underscores the necessity of maintaining up-to-date security software and implementing additional layers of defense to detect and prevent such malicious activities.


eSentire’s Threat Response Unit (TRU) recommends implementing the following controls to help secure your organization against Vidar Stealer malware:

  1. Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
  2. Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your employees on emerging threats in the threat landscape.
  3. Encourage employees to use password managers instead of web browsers’ password storage features. Use master passwords where applicable.

Organizations can better protect themselves against the ever-evolving threat landscape by staying vigilant and following these recommendations.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles