AhnLab has recently identified a malware being distributed in the wild disguised as a software activation tool. The malicious campaign is targeted towards users trying to get access to pirated softwares.
The attacker distributed malicious executable files disguised as software activation tools. Examples of these tools include KMSAuto and KMSPico. It can be commonly downloaded from illegal software download sites and P2P file-sharing sites.
When the user executes the malicious executable file, a fake password input appears. When the user enters the password that was provided by the attacker and clicks on the OK button, the tool will automatically download Vidar malware.
Vidar malware, also known as Vidar Stealer, operates primarily as an information stealer and is often observed as a channel to enable ransomware deployment. The information typically stolen from compromised PCs includes account information in the web browser, autofill values, internet cookies, cryptocurrency wallet address., and user account information stored in the FTP client. FTP client is a software that uses the FTP protocol to transfer files to and from a remote computer. Often, Vidar malware downloads other malware to perform additional malicious activities.
The malware uses the same icon and file name as the actual illegal activation tool and installs the tool, making it difficult for users to suspect malware infection in the first place. However, AhnLab’s V3 anti-malware products managed to detect and block the malware.
If you are not using V3 products, the following security guidelines must be followed to avoid damages caused by Vidar Malware ▲Use official SW and contents only ▲Do not visit suspicious websites ▲Maintain the latest version of all software, such as OS, Internet browsers, applications, ▲Update the anti-malware program periodically and maintain the latest version ▲Periodically change the password.
Jaejin Lee, a researcher at AhnLab, said, “Please refrain from visiting suspicious websites or P2P sites. The information stolen by the malware can be further exploited for additional crimes, such as money theft or account theft. So, it would be good to be cautious at all times to protect your valuable data.”