Skip to main content

BitRAT malware

Brucert alert thumbnail

24 MAR 2022

BitRAT Malware Spreading Through Unofficial Microsoft Windows Activators

Security research has discovered a new malware campaign that disguises itself in the form of a Windows 10 Pro license activator. It is a remote access trojan known as BitRAT and is being distributed via webhards, which are an online file sharing services popular in South Korea.

Modus Operandi

When a user downloads the fake license, a compressed file named ‘Program.zip’ is given, and locked with a password ‘1234’. It contains a Windows 10 license verification tool named ‘W10DigitalActivation.exe’.

‘W10DigitalActivation.exe’ is a 7z SFX file that carries an actual verification tool called ‘W10DigitalActivation.msi’ and the malware named W10DigitalActivation_Temp.msi. When the user double-clicks the file, it installs both files concurrently. As both the malware and the verification tool are run at the same time, the user is tricked into thinking that the tool is running properly.    

Unlike its name, ‘W10DigitalActivation_Temp.msi’ is a downloader with exe extension that downloads additional malware. When run, it connects to a Command and Control (C&C) server it harbors internally, exchanging encrypted strings. It then decrypts the strings to ultimately acquire a download URL for the additional payload.

The downloader installs the malware into the Windows startup program folder and deletes itself. Normally, the first file that is installed is a downloader of the same kind, and the downloader run this way ultimately installs BitRAT into the path %TEMP% as ‘Software_Reporter_Tool.exe’.

One of its features uses a powershell command to add the Windows startup program folder—where the downloader will be installed—as an exclusion path for Windows Defender, and adding the BitRAT process name ‘Software_Reporter_Tool.exe’ as an exclusion process for Windows Defender.

The malware that is ultimately installed is a RAT (Remote Access Trojan) malware called BitRAT.

Impact

BitRAT malware controls the infected machine and collects various inputs or even streams the microphone, webcam recordings in real-time. RAT can also use various files and processes to run on resources of the machine so cryptocurrency can be generated or other viruses installed.

The more time this malware has on the PC, the more information can be exfiltrated, so collected information gets used by criminals. Those personal details that can be obtained are extremely valuable on the internet, especially on the dark web.

BitRAT malware can trigger chain infections and execute downloaded files to spread malware, extract login credentials, passwords, usernames. This malware can steal data from 35 different browsers and 500 additional programs. The virus may record keystrokes, so once it is installed, it becomes extremely dangerous to login to any site, social media platform, or banking page.

BitRAT malware and other RATs are often used to obtain login credentials, passwords, and usernames for particular cryptocurrency wallets, banking sites, online platforms, and social media. The malware can access: name, address, telephone number, email, banking account credentials, and credit card numbers.

 

Recommendations

 

  • Do not download and install applications from untrusted websites, especially cracked or pirated versions.
  • Perform a security scan – run a FULL scan of your computer with your UPDATED anti-malware software.
  • Users should also be wary of following instructions to turn off antivirus software, as that can lead to malicious software being allowed to infiltrate the system.
  • Properly secure all applications that are both publicly and privately accessible.
  • Ensure that your browser, operating system, and software are kept up to date.
  • Strong passwords should always be used to secure internet services. Two factor authentication is highly recommended.
  • Perform a full backup occasionally.