The use of illegal software has been under circulation ever since there have been torrents and cracked software. Recent reports show that threat actors have been relying on cracked software to deploy HotRat malware into victims’ systems.
HotRat malware is capable of stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, and installing additional malware. Hackers used an AutoHotKey script to trigger the HotRat malware in the affected systems.
Threat actors hijacked software cracks available on the internet and turned them into an AutoHotKey script that displays the same icon as the cracked software.
Once the crack is installed on the system, the script triggers the original software installation initially to provide the illusion of the targeted software.
Simultaneously, the script also executes a PowerShell script “powerpoint.xml” that disables the consent admin that allows all the operations to be performed without the admin’s consent.
It also uninstalls Avira AV and Windows Defender alert settings.
In addition to this, a VBS Loader is executed every two minutes for maintaining the persistence of the malware. This is achieved by creating a Task Scheduler on the victim system. This scheduled task gradually injects the HotRat payload after deactivating the AVs.
C2 Servers
DNS Records
List of Software that were misused by attackers
A Complete report about the initial installation, deployment, and execution has been published on Avast.
Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…
Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…
In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…
Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…
In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…
A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…