Sunday, January 16

Windows hacker activator can steal your bitcoins

The company Red Canary, a specialist in computer security audits, has published a recent investigation in which it demonstrates how the use of pirated Windows activators could compromise the security of bitcoin (BTC) and cryptocurrency wallets on computers with this operating system .

The research was released on December 2, hand in hand with specialist in malware detection and investigation, Tony Lambert, who works for Red Canary. It details how KMSpico, a software used to install illegal license keys in Windows and Office, now has a pirated version of itself. This allows to steal user information including recovery seeds of their bitcoin and cryptocurrency wallets.

According to research, the malicious software does not differ from the original in a Google search. It is worth remembering, however, that the «original» it is software that installs illegal versions of Windows licenses. Because it is used for an illegal activity, it does not have any type of verification.

The research shows how in a Google search it is impossible to differentiate
one activator of another. Source: Google / Red canary.

How this bitcoin-stealing malware works

To use KMSpico, the “original”, it is necessary to deactivate all virus protection programs, as this software is marked as potentially dangerous. Once uninstalled, the antivirus does not detect it. The same goes for the pirated version. It will be able to install the malware without even being seen.

This type of strategy has already been seen before, as reported by CriptoNoticias. Last April, hackers created malicious websites that offered to download add-ons for Windows, such as Direct x12, but installed malware instead.

The operation of Cryptobot and CypherIT, names of malware, is to record the activity of certain applications. When they go online, an online registry is installed that shares all the victim’s activity with the attacker. If the user reveals, at a certain point, the recovery seed, the attacker can take it and consequently steal the cryptocurrencies.

According to the research, it seems that as long as the seed is not revealed, the funds will not be able to be mobilized. However, this is no guarantee that the attacker will not find a way to get hold of the private keys.

In a listing shown in the investigation, desktop wallets such as Exodus, Jaxx Liberty, Electrum, and Coinomi were shown to be susceptible to this vulnerability. In the case of web browser wallets, for example, MetaMask, was also compromised by malicious software. Even Ledger Live, which is the suite used for the hardware wallets of the Ledger company, presented the possibility of being compromised.

What to do in case of infection

In the case of users with technical knowledge, the research recommends using the commands in CMD: findstr / V / R «^… $, which allow scanning if there is any file installed on the computer that is sharing information to an external medium.

To avoid these scenarios, the firm recommends always using original Windows licenses. Red Canary cites that there are technology departments that do not have a single original licensed PC, what makes this type of vulnerabilities can turn into critical situations.