Security research firm ASEC has discovered a new malware campaign that disguises itself in the form of a Windows product key verification tool. And under that guise, that tool is in reality a BitRAT or a remote access trojan.
ASEC has found that this particlualar RAT is being distributed via Webhards which are online file sharing services in Korea. While cracked and pirated software are often known to infect devices with malware, many people tend not to take such warnings seriously, or perhaps they are unable to afford genuine Windows licenses. As such, malware makers continue to make and distribute malware via such means.
Now, getting into how this BitRAT works, ASEC explains that the downloaded zip file "W10DigitalActivation.exe" contains the malicious file but also carries a genuine Windows activation file too. "W10DigitalActivation" msi file is apparently real while the other "W10DigitalActivation_Temp" file is the malware (see image below).
When an unsuspecting user runs the exe file, both the actual verification tool as well as the malware file are executed simultaneously giving the user the impression that the Windows license key verification tool works as intended.
The W10DigitalActivation_Temp.exe malware file then goes on to download additional malicious files from the command and control (C&C) server and delivers them inside the Windows startup program folder via PowerShell. Finally the BitRAT is installed as the "Software_Reporter_Tool.exe" file inside the %temp% folder and in Windows Defender, exclusion path for the Startup folder and exclusion process for the BitRAT are added.
You can find more technical details in the original blog post.