A New Windows Phishing Attack – Activate License, Inject BitRAT

Windows PC has become an easy target for cybercriminals in the past few years. Not long ago, Windows devices were the main target of a stealthy trojan campaign. Now, a new trojan is attacking PC users and infecting their devices with the dangerous BitRAT malware.

When it comes to Windows, licenses do expire. Re-activating them costs money, which leads users to search for alternative sources to get them for free.

Apparently, the attackers are well aware of that, as they’re now taking advantage of this particular need to market fake Microsoft license activators in hopes of injecting the BitRAT malware. What do we know about this incident? Find out in the following article.

Windows BitRAT Attack – A RAT is Lurking Within Your PC

BitRAT has been around for quite some time now and it’s been used by several threat actors on several occasions. Aside from being very dangerous, the frightening part is that BitRAT is available to everyone.

Yeah, your heart that right. This remote access trojan is sold on cybercrime forums and dark web markets. What’s worse is that it goes for as low as $20.

Oh, and no limited access or duration. This fee gets threat actors lifetime access to this extremely harmful trojan. In other words, they can commit malicious acts such as phishing, watering holes, or trojanized software whenever they want.

According to research by AhnLab, threat actors are using Webhard to distribute Windows 10 Pro license activators in hopes of infecting the targets devices with BitRAT malware.

Since Webhard is very popular in South Korea as it’s one of the biggest online storage services, this campaign poses a very big threat to Windows users.

The attackers are using social media platforms and even Discord to promote their “Fake” webpage. Once the targets visit it, they’re met with a direct download link.

We can clearly state, based on the page, that the group behind this is Korean-based. The manner of distribution says it all.

Now, this scam is pretty easy to perfect. Why? Well, Windows users need to purchase and activate a license with Microsoft to use Windows 10 properly.

While there are ways to get the upgrade for free, some of them don’t take the time to do so. That’s when they turn to pirated sources for free download. Unfortunately, most of these turn out to contain malware.

Downloaded – Now What?

When the victims download the file and run the ‘W10DigitalActiviation.exe,’ it clearly shows that it doesn’t reflect an official Windows interface.

Not all of us are vigilant, which brings us to the installer. Once the victims open the file, a window pops up, featuring a simple GUI with a button to “Activate Windows 10.”

As with most malware injectors, this definitely won’t activate Windows 10. Instead, it’ll download the malware from a hardcoded command and control server. Yeah, you guessed it – it belongs to the attackers.

With BitRAT in place, the threat actors can have access to almost everything. That includes keylogging, webcam access, clipboard monitoring, and audio recording.

Not to mention that they can perform all sorts of malicious practices such as credential theft from web browsers and XMRig coin mining functionality.

Windows Hit with BitRAT – Activate to Infiltrate

It’s well known that downloading content from official sources is the best thing to do. Regardless of your intentions, no matter how ethical or legal they are, using pirated software is always a security gamble.

You never know who is truly hosting the website you’re using. Everyone is a target nowadays as cybercrime is increasing drastically. This Windows BitRAT attack is just one of many. Stay safe.