BitRAT malware operators have targeted users who want to activate pirated versions of Windows OS for free using unofficial Microsoft license activators.
BitRAT is a Trojan for remote access, which is sold on cybercrime forums and on the darknet markets for just $20 (lifetime access) to anyone.
According to researchers from AhnLab, attackers distribute BitRAT malware under the guise of a Windows 10 Pro license activator on so-called webhard services.
Webhard is an online storage service popular in South Korea, which has a constant influx of visitors via direct download links posted on social networks or Discord. Due to their great popularity in the region, attackers have become more likely to use such services to distribute malware.
Experts suggest that the attackers who organized the new BitRAT campaign are Koreans. The assumption is based on some Korean characters in the code and the way it is distributed.
During this campaign, the malicious file offered as a Windows 10 activator is called W10DigitalActiviation.exe and it has a simple graphical interface with a “Activate Windows 10” button. However, instead of activating the license, the program will download malware from the attackers’ command server.
The payload is BitRAT, set in %TEMP% as “Software_Reporter_Tool.exe” and added to the startup folder. The bootloader also adds exceptions for Windows Defender in order to avoid malware detection. After the malware installation process is completed, the loader deletes itself from the system, leaving only BitRAT behind.
BitRAT supports keylogging functions, clipboard monitoring, webcam access, audio recording, stealing credentials from browsers and XMRig cryptocurrency mining functions. In addition, the malware provides remote management of Windows-based systems, hidden virtual network computing (hVNC) and reverse proxy server via SOCKS4 and SOCKS5 (UDP).