Jump to content
  • BitRAT malware now spreading as a Windows 10 license activator


    • 4 minutes

    • 4 minutes

    A new BitRAT malware distribution campaign is underway, exploiting users looking to activate pirated Windows OS versions for free using unofficial Microsoft license activators.


    BitRAT is a powerful remote access trojan sold on cybercrime forums and dark web markets for as low as $20 (lifetime access) to any cybercriminal who wants it.


    As such, each buyer follows their own approach to malware distribution, ranging from phishing, watering holes, or trojanized software. 

    Targeting pirates with malware

    In a new BitRAT malware distribution campaign discovered by researchers at AhnLab, threat actors are distributing the malware as a Windows 10 Pro license activator on webhards.


    Webhards are online storage services popular in South Korea that have a steady influx of visitors from direct download links posted on social media platforms or Discord. Due to their wide use in the region, threat actors are now more commonly using webhards to distribute malware.


    The actor behind the new BitRAT campaign appears to be Korean based on some of the Korean characters in the code snippets and the manner of its distribution.



    Post promoting the BitRAT dropping Windows activator (ASEC)


    To properly use Windows 10, you need to purchase and activate a license with Microsoft. While there are ways to get Windows 10 for free, you still need a valid Windows 7 license to get the free upgrade.


    Those who do not want to deal with licensing issues or do not have a license to upgrade commonly turn to pirating Windows 10 and using unofficial activators, many of which contain malware.


    In this campaign, the malicious file promoted as a Windows 10 activator is named 'W10DigitalActiviation.exe' and features a simple GUI with a button to "Activate Windows 10."



    The malware downloader posing as a Windows activator (ASEC)


    However, instead of activating the Windows license on the host system, the "activator" will download malware from a hardcoded command and control server operated by the threat actors.


    The fetched payload is BitRAT, installed in %TEMP% as ‘Software_Reporter_Tool.exe’ and added to the Startup folder. The downloader also adds exclusions for Windows Defender to ensure that BitRAT won’t encounter detection issues.


    Once the malware installation process is completed, the downloader deletes itself from the system leaving behind only BitRAT.



    The downloader fetching the BitRAT payload (ASEC)

    A versatile RAT

    BitRAT is promoted as a powerful, inexpensive, and versatile malware that can snatch a wide range of valuable information from the host, perform DDoS attacks, UAC bypass, etc.


    BitRAT supports generic keylogging, clipboard monitoring, webcam access, audio recording, credential theft from web browsers, and XMRig coin mining functionality.


    Additionally, it offers remote control for Windows systems, hidden virtual network computing (hVNC), and reverse proxy through SOCKS4 and SOCKS5 (UDP). On that front, ASEC’s analysts have found strong code similarities with TinyNuke, and its derivative, AveMaria (Warzone).


    The hidden desktop feature on these RATs is so valuable that some hacking groups, like the Kimsuky, incorporated them in their arsenal just to use the hVNC tool.

    Risk of piracy

    Even if the legal and ethical aspects are ignored, using pirated software is always a security gamble.


    The more tools are used to activate illegally obtained copies of software or crack their intellectual property protection systems, the greater the chances of ending up with a nasty malware infection.


    Those who can’t afford to purchase a Windows license should look at alternative options instead, such as accepting the limitations of the free version, monitoring for special offers from trustworthy platforms, or using Linux.


    Ultimately, users should not trust license activators and any unsigned executable authored and released by unknown vendors to run on your system.



    BitRAT malware now spreading as a Windows 10 license activator

    User Feedback

    Recommended Comments

    The original tool of this version beta archive doesn't have this msi packages in exe. This is faked msi. This is one of the best lesson for those who download bluntly without checking integrity of what and where they're downloading.


    :idea:Message from Tool Creator:

    Будьте осторожны, не скачивайте W10DigitalActiviation.exe с левых сайтов !!!

    Be careful not to download W10DigitalActiviation.exe from left - wing sites !!!



    CC: @Karlston@aum

    Edited by vissha
    • Like 3
    Link to comment
    Share on other sites

    3 hours ago, BluePT said:

    I don't understand why people downloads this kind of tools when it's more easy to buy a license for 10 bucks... 

    Globally, Many humans are poor and the numbers have rapidly increased starting pandemic & much more rapidly after Sh*t* US, EU sanctions.


    Additionally, Microsoft made Windows as Service & many worried if they wanna pay as subscription model.


    Moreover, it's stupid to trust Microsoft completely as they don't heed to hard fans and frequently make them jackass/fools with their updates/releases.


    Also, I hope you remember Microsoft giving free upgrades, Why? They're pushing paid users with nags to upgrade to an unstable OS with their unstable mind.


    Hence, either stuck/required for work, many opt to use Windows as a alpha/beta software with precaution with these methods.

    Edited by vissha
    Link to comment
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...