Researchers have identified an attack involving a fake KMSPico activator tool, which is used to deliver Vidar Stealer malware. The attack exploits Java dependencies and a malicious AutoIt script to disable Windows Defender and decrypt the Vidar payload via shellcode. Users searching for KMSPico are directed to a site (kmspico[.]ws) that requires human input to download a malicious ZIP package, effectively hiding the payload from automated web crawlers.
The ZIP archive contains Java dependencies and a malicious executable named Setuper_KMS-ACTIV.exe. When launched, this executable disables behavior monitoring in Windows Defender and drops an AutoIt script called “Flour.pif” that contains the encrypted Vidar payload. The shellcode within the script decrypts the payload using the RC4 algorithm, which is obfuscated by a hardcoded key.
Vidar Stealer uses a Dead Drop Resolver (DDR) to store the Command and Control (C2) IP address on legitimate external web services like Telegram. This tactic helps conceal the C2 infrastructure by embedding and obfuscating domains or IP addresses within content posted on these platforms. Threat actors use this method to manage their operations and maintain communication with the infected systems.
In response to the attack, eSentire’s 24/7 SOC Cyber Analysts isolated the affected host and notified the customer, providing support and remediation. This incident highlights the dangers of malware-laden applications, particularly those disguised as piracy tools, and emphasizes the need for user awareness and the importance of obtaining software from legitimate sources. Organizations are advised to use Endpoint Detection and Response (EDR) solutions, implement Phishing and Security Awareness Training (PSAT), and encourage the use of password managers to protect against such threats.
Reference:
