An attack campaign used a fake KMSPico activator downloaded from a web search result (kmspico.ws) to deliver Vidar Stealer malware. The attack exploited Java dependencies and ran a malicious AutoIt script to disable Windows Defender.
The script then decrypted the final Vidar payload using shellcode, which highlights the risks associated with downloading software from untrusted sources, particularly activators that bypass licensing procedures.
The website kmspico.ws utilizes Cloudflare Turnstile to hinder automated downloads by requiring users to enter a code before obtaining the final ZIP file, which method is uncommon for legitimate downloads and suggests the intent to conceal the download page and the final payload, likely malicious, from web crawlers.
The analysis by Esentire of the downloaded ZIP archive revealed the presence of Java dependencies along with a suspicious executable file named Setuper_KMS-ACTIV.exe (MD5: 6b6d562c71b953f41b6915998f047a30).
Launching the javaw.exe executable disables Windows Defender behavior monitoring and drops two malicious AutoIt scripts: “x” (MD5: c7ece036a2284fba0f5d31055b44846f) and “Flour.pif” (MD5: b06e67f9767e5023892d9698703ad098).
The AutoIt script “x” then injects the encrypted Vidar payload into a currently running AutoIt process, suggesting a multi-stage malware attack that disables security measures, drops malicious scripts, and injects a payload for further malicious actions.
The malicious AutoIt script employs a shellcode that utilizes the RC4 algorithm for decryption, which functions by decrypting the Vidar payload with a hardcoded key that is obfuscated within the script itself.
Vidar Stealer makes use of the Dead Drop Resolver (DDR) functionality that is available in Telegram in order to retrieve the IP address of the C2 server.
Threat actors leverage Dead Drop Resolver (T1102.001) to hide their Command and Control (C2) infrastructure by embedding obfuscated C2 information (domains and IPs) within content on legitimate web services and applications (Telegram, Stealer) instead of directly using those platforms for C2.
It makes C2 infrastructure discovery through malware analysis difficult, which highlights the prevalence of malware disguised as seemingly harmless applications (greyware piracy tools) and emphasizes the need for user awareness to combat such threats.
For Indicators of Compromises refer here.
Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!
