BitRAT malware now spreading as a Windows 10 license activator (22nd March 2022)

Ref# AL2022_19 | Date: Mar 22nd 2022

Description 

BitRAT, a malware classified as a Remote Access Trojan (RAT) is being distributed to users looking to activate pirated Windows Operating System (OS) versions for free using unofficial Microsoft license activators. 

BitRAT is marketed as a strong, low-cost, and adaptable malware that can steal a variety of sensitive data from the host, launch DDoS assaults, and bypass user account control (UAC), among other things. 

Summary  

Threat actors are delivering BitRAT malware as a Windows 10 Pro license activator on webhards in a new BitRAT malware distribution campaign identified by AhnLab researchers. 

Webhards are popular online storage services in South Korea, with a regular stream of visitors coming via direct download links posted on social media platforms or Discord. Due to their ubiquitous use in the region, threat actors are increasingly more regularly exploiting webhards to disseminate malware. 

Based on some of the Korean characters in the code snippets and the way in which it was distributed, the actor behind the current BitRAT campaign appears to be Korean. 

“W10DigitalActiviation.exe” is the malicious program presented as a Windows 10 activator in this campaign, and it has a simple GUI with a button to “Activate Windows 10.” 

How it works  

Rather than activating the Windows license on the host system, the activator will download malware from a threat actor”s hardcoded command and control server. 

The retrieved payload is BitRAT, which is installed as “Software Reporter Tool.exe” in the %TEMP% folder and appended to the Startup folder. Exclusions for Windows Defender are also included by the downloader to guarantee that BitRAT is not detected. 

The downloader deletes itself from the system after the malware installation process is completed, leaving just BitRAT behind. 

BitRAT includes features such as keylogging, clipboard monitoring, camera access, audio recording, credential theft through web browsers, and XMRig coin mining. 

It also includes remote control for Windows PCs, hidden virtual network computing (hVNC), and SOCKS4 and SOCKS5 reverse proxy (UDP). 

Remediation  

To prevent infection of this malware it is advised to always use official Microsoft software and Microsoft license activators on systems. 

Here are a few steps you can follow if you are or suspect that you are infected with this malware: 

  • Extract the downloaded archive and run the Autoruns.exe file. 

  • In the Autoruns application, click “Options” at the top and uncheck “Hide Empty Locations” and “Hide Windows Entries” options. After this procedure, click the “Refresh” icon. 

  • Check the list provided by the Autoruns application and locate the malware file that you want to eliminate. 

  • You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose “Delete”. 

  • After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it. 

  • Reboot your computer in normal mood. 

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary. 

PDF Download: BitRAT malware now spreading.pdf

References