Xtreme RAT and Cryptominer have recently been discovered to be delivered through pirated copies of the Windows operating system (OS) software, according to eSentire’s Threat Response Unit (TRU). The security researchers published an advisory on Thursday detailing the new threat.
The malicious Windows services responsible for modifying system permissions, disabling Windows Defender, and retrieving payloads from a malicious URL were identified by eSentire. The behavior of the threat actors closely resembled what was previously described by Minerva Labs in mid-2021. Xtreme RAT achieved persistence on the host by creating new services, such as “Registration for device management” and “Previous Versions Library.”
eSentire observed several instances of this threat from late 2021 to early 2022, with the infections predominantly found on systems suspected of operating pirated versions of Microsoft’s Windows OS. The motives behind these infections are believed to be financially driven, as the backdoored OS provides tools for monetizing infected systems through Cryptominer, RAT, and adware.
While the infection scheme and malware deployed are not overly sophisticated, eSentire suggests that threat actors may be targeting poorly secured personal devices to quietly generate revenue over time. To protect against these threats, a multi-layered defense approach is recommended to defend endpoints from malware and unauthorized login activity.
eSentire advises individuals and organizations to always download software from trusted sources and ensure that antivirus signatures are up to date. A comprehensive list of recommendations can be found in eSentire’s original advisory. This information comes after a recent Kaspersky report indicated a sharp increase in the number of users facing gaming-related malware and unwanted software over the past year.