A recent investigation by EclecticIQ has revealed that Sandworm (APT44), a Russian state-sponsored Advanced Persistent Threat (APT) group linked to the GRU, is exploiting pirated Microsoft Key Management Service (KMS) tools to target Ukrainian Windows users.
This campaign, ongoing since late 2023, leverages trojanized KMS activators and fake Windows updates to deploy malware for cyber espionage and data exfiltration.
The operation underscores the vulnerabilities associated with Ukraine’s widespread use of unlicensed software.
Trojanized Software as an Attack Vector
Sandworm’s campaign involves distributing a malicious KMS activation tool disguised as legitimate software.
The tool, identified as “KMSAuto++x64_v1.8.4.zip,” was uploaded to torrent sites frequented by users seeking to bypass Windows licensing restrictions.
Upon execution, the tool presents a fake activation interface while secretly deploying the BACKORDER loader in the background.
This loader disables Windows Defender using PowerShell commands and prepares the system for the deployment of Dark Crystal RAT (DcRAT), a remote access Trojan.
The BACKORDER loader uses sophisticated techniques, including Living Off the Land Binaries (LOLBINs), to evade detection.
It retrieves a Base64-encoded domain string from its executable file, decodes it, and downloads DcRAT from a command-and-control (C2) server.
According to the EclecticIQ Report, the malware is then stored in hidden directories on the victim’s system and executed stealthily.
Capabilities of Dark Crystal RAT
Once installed, DcRAT establishes a persistent connection with the C2 server and exfiltrates sensitive information from infected devices.
The stolen data includes screenshots, keystrokes, browser credentials, FTP login details, system configurations, and even saved credit card information.
To maintain persistence, DcRAT creates scheduled tasks using Windows’ built-in tools, ensuring its operations continue across system reboots.
Multiple indicators link this campaign to Sandworm.
These include overlapping infrastructure with previous attacks, reuse of known malware like BACKORDER and DcRAT, and debug symbols in the malware pointing to a Russian-language build environment.
Additionally, WHOIS records show recurring use of ProtonMail accounts associated with Sandworm’s operations.
Ukraine’s reliance on pirated software estimated at 70% in government institutions has created a significant attack surface for adversaries like Sandworm.
By embedding malware in widely-used cracked programs, Sandworm has likely gained access to critical networks across public and private sectors.
This tactic not only compromises individual systems but also poses a direct threat to national security and critical infrastructure.
To mitigate such threats:
- Avoid downloading software from untrusted sources.
- Implement endpoint detection and response (EDR) solutions.
- Regularly update systems with patches from official vendors.
- Educate users about the risks of pirated software.
Sandworm’s exploitation of pirated KMS tools highlights the intersection of economic vulnerabilities and cybersecurity risks in conflict zones like Ukraine.
As cyber warfare continues to evolve, robust defenses against such tactics are imperative for safeguarding critical infrastructure and national resilience.
, a Russian state-sponsored Advanced Persistent Threat (APT) group linked to the GRU, is exploiting pirated KMS.){kind=link}