What's Happening?
A malicious domain closely resembling the legitimate Microsoft Activation Scripts (MAS) tool has been used to distribute harmful PowerShell scripts, infecting Windows systems with the 'Cosmali Loader'.
The domain 'get.activate[.]win' was set up to mimic the official MAS activation domain 'get.activated.win', relying on users mistyping the URL. This attack has led to infections with the Cosmali Loader, which delivers cryptomining utilities and the XWorm remote access trojan. Security researchers have identified that the malware's control panel is insecure, allowing unauthorized access. The MAS tool, which is open-source and hosted on GitHub, is used to automate the activation of Microsoft products, but Microsoft considers it a piracy tool. Users are advised to be cautious when typing commands and to avoid executing remote code without understanding its function.
Why It's Important?
This incident highlights the ongoing threat of typosquatting, where attackers create domains that closely resemble legitimate ones to trick users into downloading malware. The use of the Cosmali Loader to distribute cryptomining utilities and remote access trojans poses significant security risks, potentially leading to unauthorized access and data breaches. This type of attack underscores the importance of cybersecurity vigilance, especially for users of open-source tools like MAS. The broader impact includes potential financial losses for individuals and organizations, as well as increased scrutiny on tools perceived as facilitating software piracy.
What's Next?
Users and organizations are likely to increase their cybersecurity measures, including the use of multifactor authentication and more rigorous domain verification processes. Security researchers may continue to monitor and report on similar typosquatting incidents to prevent further infections. Microsoft and other software companies might enhance their efforts to combat piracy tools and educate users on safe software activation practices. Additionally, there could be legal actions against those responsible for setting up and operating malicious domains.
