Security research firm ASEC found that a new type of malware has recently appeared on the Internet. It will disguise as a Windows activation tool, but it is actually a BitRAT remote access Trojan.
Moreover, ASEC found that this Trojan is mainly distributed through Webhards (Webhards is an online file sharing service in South Korea), but there is also the risk of spreading through other channels.
Join tip3x on Telegram
It’s worth mentioning that while cracked and pirated software is often reported as a virus, many people tend not to take such warnings seriously, and some users require a Windows activation tool, which may have caused the problem in some cases.
ASEC explained that the downloaded zip file “W10DigitalActivation.exe” while containing genuine Windows activation files, did contain malicious files. The “W10DigitalActivation” msi file is apparently genuine, while the other “W10DigitalActivation_Temp” file is malware.
When an unsuspecting user runs the file in the zip file, the real activation tool and the malware execute simultaneously, fooling the user into thinking that the Windows activation tool is real and that the file is not a threat.
Furthermore, when you run the Trojan, W10DigitalActivation_Temp.exe downloads other malicious files via the command and control (C&C) server and delivers them to the Windows startup programs folder via PowerShell.
Finally, BitRAT will install the “Software_Reporter_Tool.exe” file in the % temp% folder for you, thus adding the exclusion path of the Startup folder and the BitRAT exclusion process in Windows Defender.
