How do hackers disguise hotbeds of viruses so that they occupy high positions in search results?
Cybersecurity company announced a new operation to distribute the Vidar infostiler through fake sites disguised as Windows activation tools that are so popular in the CIS countries, such as KMSpico.
KMSpico and other KMS series products are illegal tools for activating Windows and other Microsoft products that circumvent license restrictions. Users often search for them on the Internet to activate their software for free, without purchasing a license. However, such tools are often used by attackers to distribute malware.
In the incident reviewed by eSentire specialists, one of the users went to the site "kmspico[.] ws" and almost downloaded a virus-infected activator from there. After a thorough analysis of the site and its content, the experts came to the following conclusions.
The kmspico "site[.]ws" is protected by the Cloudflare Turnstile CAPTCHA system and requires entering a code to download the final ZIP package, eSentire noted. These steps are highly unusual for legitimate download sites and are designed to hide the page and the final malicious file from automated web crawlers.
The downloaded ZIP archive analyzed by experts contained Java dependencies and an executable file "Setuper_KMS-ACTIV.exe". At startup, this file disabled behavioral monitoring in Windows Defender and ran the AutoIt script. The AutoIt script, in turn, decrypted and launched the Vidar Stealer malware.
Vidar itself is a fairly well-known data thief. The malware can collect usernames, passwords, browser history, cookies, auto-fill data, and financial information such as bank card details and cryptocurrency wallets. The collected data is sent to the command server, where attackers can gain access to it.
In the campaign reviewed, Vidar Stealer used Telegram to store the IP address of the C2 server, hiding it in legitimate services. This method allows attackers to manage infected systems without revealing their infrastructure.
Similar attacks using social engineering often use fake sites that mimic legitimate software, such as, for example, Advanced IP Scanner. According to a recent report by Trustwave SpiderLabs, it is with its help that attackers have recently distributed Cobalt Strike.
Thus, we can conclude that any software, whether official licensed programs or not, should be downloaded only from trusted and trustworthy sources. Most unsavory websites that offer various types of software end up being hotbeds of malware that are carefully hidden from automated web scanning systems.
Cybersecurity company announced a new operation to distribute the Vidar infostiler through fake sites disguised as Windows activation tools that are so popular in the CIS countries, such as KMSpico.
KMSpico and other KMS series products are illegal tools for activating Windows and other Microsoft products that circumvent license restrictions. Users often search for them on the Internet to activate their software for free, without purchasing a license. However, such tools are often used by attackers to distribute malware.
In the incident reviewed by eSentire specialists, one of the users went to the site "kmspico[.] ws" and almost downloaded a virus-infected activator from there. After a thorough analysis of the site and its content, the experts came to the following conclusions.
The kmspico "site[.]ws" is protected by the Cloudflare Turnstile CAPTCHA system and requires entering a code to download the final ZIP package, eSentire noted. These steps are highly unusual for legitimate download sites and are designed to hide the page and the final malicious file from automated web crawlers.
The downloaded ZIP archive analyzed by experts contained Java dependencies and an executable file "Setuper_KMS-ACTIV.exe". At startup, this file disabled behavioral monitoring in Windows Defender and ran the AutoIt script. The AutoIt script, in turn, decrypted and launched the Vidar Stealer malware.
Vidar itself is a fairly well-known data thief. The malware can collect usernames, passwords, browser history, cookies, auto-fill data, and financial information such as bank card details and cryptocurrency wallets. The collected data is sent to the command server, where attackers can gain access to it.
In the campaign reviewed, Vidar Stealer used Telegram to store the IP address of the C2 server, hiding it in legitimate services. This method allows attackers to manage infected systems without revealing their infrastructure.
Similar attacks using social engineering often use fake sites that mimic legitimate software, such as, for example, Advanced IP Scanner. According to a recent report by Trustwave SpiderLabs, it is with its help that attackers have recently distributed Cobalt Strike.
Thus, we can conclude that any software, whether official licensed programs or not, should be downloaded only from trusted and trustworthy sources. Most unsavory websites that offer various types of software end up being hotbeds of malware that are carefully hidden from automated web scanning systems.
