Friday, March 29, 2024

BitRAT Disguised as Windows 10 License Verification Tool to Compromise PC

BitRAT is one of the best Remote Access Trojan (RAT) available for sale in a hacking forum since 2020. Attackers rely on this RAT mostly because of its salient features like running process tasks, file tasks, and remote commands along with info-stealing features, HVNC.

Remote Desktop, coin mining, and proxies. It is natively coded in C and is very much compatible with affecting Windows.

Researchers at ASEC recently found BitRAT distributed via Webhard. Webhard is a file-sharing platform that largely contains illegal items. It is a very simple technology than peer-to-peer or other sharing protocols like BitTorrent. It is mostly used by Korean threat actors.
Image

Ever since the usage of Windows, illegal activation of windows without proper license files has been done through various methods. One of the methods was using an activator file that converts a trial version of windows into a licensed one through various methods.

The recently found BitRAT was disguised as an activator file for windows. It is typically a Windows 10 License Verification File with the name “W10DigitalActivation.exe”.

This is delivered by a compressed file named “Program.zip”. Threat actors post on public websites which tell the user to click on a link for “Windows License Verification Tool” which is the “Program.zip” file. This zip archive contains the “W10DigitalActivation.exe” file along with a few other files.

Image

The “Program.zip” file is locked with a password “1234”.Image

The “W10DigitalActivation.exe” file consists of two .msi files “W10DigitalActivation.msi” and “W10DigitalActivation_Temp.msi”. When the user double clicks on the activation file, One of them does the actual verification (W10DigitalActivation.msi) while the other downloads malware into the system.
Image

Once the malware downloader runs, it connects with its C&C servers which provide the download URL for the additional payload.
Image

The “W10DigitalActivation_Temp.msi” installs the malware in the Windows Startup Program Folder and deletes itself. The second downloader installs BitRAT in the %TEMP% folder as “Software_Reporter_Tool.exe”.
Image

Another feature of this malware is that it excluded the “Software_Reporter_Tool.exe” file from Windows Defender with Powershell Command.
ImageASEC has published a complete report on this malware and its analysis.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles