The BitRAT malware campaign is seen attacking users searching for unofficial Windows license activators to activate cracked or pirated Windows Operating System versions.
Security researchers observed a phishing attack that distributes Windows 10 Pro license activators in an online store. However, the offered activators of the phishing actors are malicious and composed of BitRAT malware.
The threat actors endorsed the malicious file as a Windows 10 activator and coded it as W10DigitalActiviation[.]exe. The activator also includes a simple GUI with a button to trigger Windows 10. However, this will only install and download the malware from a command-and-control server instead of activating the Windows.
If the malware is successfully installed in the target’s devices, the Windows downloader will remove itself from the system and leave a BitRAT malware.
Researchers speculate about the true origin behind the threat actors of this malware, but they claim that the threat actors are from Korea. They have also spotted several Korean characters in the code snippets, thus assuming that the attacks were based in North or South Korea.
BitRAT is a malicious malware capable of numerous functions.
The threat actors advertised BitRAT as a capable, versatile, and affordable malware that can steal essential data from its target. This remote access trojan (RAT) can operate distributed denial-of-service attacks and bypass the user account control.
Furthermore, BitRAT supports keylogging, audio recording, credential theft, webcam access, clipboard monitoring, coin mining, etc. The RAT also endorses hidden virtual network computing, a reverse proxy feature utilising UDP, and remote control Windows systems.
Researchers recently discovered a substantial code similarity between BitRAT, TinyNuke, and Warzone (AveMaria). Korean threat actors like Kimsuky also used the hidden desktop function of BitRAT to utilise the hVNC tools.
The usage of pirated software is still as dangerous as it can be. Therefore, looking for activators for pirated software may lead to infections such as BitRAT. Cybersecurity experts recommend that users keep their distance from activator tools and websites that offer such features for Windows activation. The use of integral anti-malware solutions is the most vigorous defense against these attacks.
