This Windows Key Verification Tool Is Actually a Deadly BitRAT That Bypasses Defender

Security research firm ASEC has discovered a new malware campaign that disguises itself as a Windows product key verification tool. In this guise, the tool is actually a BitRAT or remote access Trojan.

ASEC discovered that this particular RAT is being distributed via Webhards, a South Korean online file-sharing service. While cracked and pirated software often infects devices with malware, many people tend not to take such warnings seriously, or they may not be able to afford a genuine Windows license. As a result, malware creators continue to create and distribute malware this way.

Now, understanding how this BitRAT works, ASEC explains that the downloaded zip file "W10DigitalActivation.exe" contains malicious files but also comes with genuine Windows activation files. The "W10DigitalActivation" msi file is apparently real, while the other "W10DigitalActivation_Temp" file is malware (see image below).

When an unsuspecting user runs the exe file, both the actual verification tool and the malware file are executed simultaneously, giving the user the impression that the Windows License Key Verification Tool is working as expected.

The W10DigitalActivation_Temp.exe malware file then proceeds to download other malicious files from the command and control (C&C) server and delivers them to the Windows Starter folder via PowerShell . Finally, BitRAT is installed as a "Software_Reporter_Tool.exe" file in the %temp% folder and Windows Defender, adding an exclusion path to the Startup folder and an exclusion process for BitRAT.

The above is the detailed content of This Windows Key Verification Tool Is Actually a Deadly BitRAT That Bypasses Defender. For more information, please follow other related articles on the PHP Chinese website!