Xtreme RAT and Cryptominer Spread Through Pirated Windows OS Copies
Recent findings from eSentire’s Threat Response Unit (TRU) have uncovered a new threat targeting users who download pirated copies of the Windows operating system (OS). The security researchers have issued an advisory warning users about the dangers associated with this malicious software.
Malicious Behavior
The TRU discovered that several malicious Windows services were responsible for modifying system permissions, disabling Windows Defender, and retrieving payloads from a malicious URL. This behavior closely aligns with previous reports from Minerva Labs in mid-2021.
Xtreme RAT, a remote access trojan, was found to gain persistence on the host by creating new services such as “Registration for device management” and “Previous Versions Library.” These tactics have been observed by TRU in instances dating from late 2021 to early 2022.
Financial Motives
The motives behind these infections are believed to be financial in nature. The backdoored OS contains tools like Cryptominer, RAT, and adware that can monetize infected systems through various means such as abusing system resources, fraud, and displaying advertisements.
While the infection scheme and malware deployed are not highly sophisticated, they indicate that threat actors may be targeting poorly secured personal devices to quietly generate revenue over time.
Defense Recommendations
eSentire recommends a multi-layered defense approach to protect endpoints from malware and unauthorized login activity. Users are advised to download software from trusted sources and ensure that antivirus signatures are up to date.
For a comprehensive list of recommendations, refer to eSentire’s original advisory. This warning comes in light of a recent Kaspersky report indicating a sharp increase in gaming-related malware and unwanted software targeting users.
By following these precautions, users can safeguard their systems and data against potential threats posed by malicious software distributed through pirated Windows OS copies.