Tuesday, November 5, 2024
HomeCyber Security NewsBitRAT Disguised as Windows 10 License Verification Tool to Compromise PC

BitRAT Disguised as Windows 10 License Verification Tool to Compromise PC

Published on

Malware protection

BitRAT is one of the best Remote Access Trojan (RAT) available for sale in a hacking forum since 2020. Attackers rely on this RAT mostly because of its salient features like running process tasks, file tasks, and remote commands along with info-stealing features, HVNC.

Remote Desktop, coin mining, and proxies. It is natively coded in C and is very much compatible with affecting Windows.

Researchers at ASEC recently found BitRAT distributed via Webhard. Webhard is a file-sharing platform that largely contains illegal items. It is a very simple technology than peer-to-peer or other sharing protocols like BitTorrent. It is mostly used by Korean threat actors.
Image

- Advertisement - SIEM as a Service

Ever since the usage of Windows, illegal activation of windows without proper license files has been done through various methods. One of the methods was using an activator file that converts a trial version of windows into a licensed one through various methods.

The recently found BitRAT was disguised as an activator file for windows. It is typically a Windows 10 License Verification File with the name “W10DigitalActivation.exe”.

This is delivered by a compressed file named “Program.zip”. Threat actors post on public websites which tell the user to click on a link for “Windows License Verification Tool” which is the “Program.zip” file. This zip archive contains the “W10DigitalActivation.exe” file along with a few other files.

Image

The “Program.zip” file is locked with a password “1234”.Image

The “W10DigitalActivation.exe” file consists of two .msi files “W10DigitalActivation.msi” and “W10DigitalActivation_Temp.msi”. When the user double clicks on the activation file, One of them does the actual verification (W10DigitalActivation.msi) while the other downloads malware into the system.
Image

Once the malware downloader runs, it connects with its C&C servers which provide the download URL for the additional payload.
Image

The “W10DigitalActivation_Temp.msi” installs the malware in the Windows Startup Program Folder and deletes itself. The second downloader installs BitRAT in the %TEMP% folder as “Software_Reporter_Tool.exe”.
Image

Another feature of this malware is that it excluded the “Software_Reporter_Tool.exe” file from Windows Defender with Powershell Command.
ImageASEC has published a complete report on this malware and its analysis.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...