Malware Disguised as a Windows Activator
Malware that disguises itself as an official Windows activation tool has been found. It is designed to target users of pirated Windows software who are not using the genuine Windows activation software.
[Figure 1] Overall execution process of the malware
As shown in Figure 1, the ransomware runs the KMSPico10.2.1.exe file to create a batch file, KMSPICO_SETUP.bat, which conducts malicious behavior. The created batch file executes KMSPicoActivator.exe, which conducts the activation of Windows to deceive users with a fake activation process. Then it executes the Registry_Activation.exe file that registers to the registry and the Activation.exe file, which is a miner.
[Figure 2] KMSPICO_SETUP Batch File
Looking at the contents of the generated batch file in Figure 2, this malware displays the progress, such as 47% and 78% to make it seem that the installation and patching are in progress. But, in fact, it is internally executing the, Registry_Activation.exe and activation.exe files.
Activation.exe uses a configuration file similar to that of a Windows-based mining program called XMRig- which mines Monero. Moreover, this file is assumed to have the role of a miner as it continuously attempts to connect to xmr.pool.minergate.com and sends the mining information to cryptocurrency wallets.
This malware is disguised as a Windows activator on the surface, but internally it is a miner engaging in mining activities using the resources of the user's PC. Many malwares are disguised as popular programs or cracked versions of such programs and spread through unofficial sites, such as file sharing websites. Therefore, in order to prevent infections, it is safest to download software from the official website.
The alias identified by AhnLab's anti-malware solution, AhnLab V3, is as below:
- Malware/Win32.Generic
