Deceptive Activation: Uncovering the PowerShell Malware Threat

Malicious PowerShell Malware Spread Through Fake MAS Windows Activation Domain

A fraudulent domain masquerading as the Microsoft Activation Scripts (MAS) tool has been identified as the conduit for distributing harmful PowerShell scripts that target Windows systems with the ‘Cosmali Loader’ malware.

Reports from multiple MAS users on Reddit [1, 2] surfaced, indicating that they had encountered pop-up alerts regarding a Cosmali Loader infection on their systems.

Users were alerted to a malware infection named ‘Cosmali Loader’ due to a typographical error in the domain name ‘get.activated.win,’ mistyped as ‘get.activate[.]win’ during the Windows activation process in PowerShell.

The malware’s control panel is insecure, allowing unauthorized access to the infected computer.

Experts advise affected users to reinstall Windows to mitigate the threat and exercise caution to prevent future incidents.

To confirm the malware infection, users are urged to check Task Manager for any unusual PowerShell processes.

Attackers deployed a deceptive domain, “get.activate[.]win,” closely resembling the authentic domain “get.activated.win” specified in the official MAS activation guidelines, banking on users’ inadvertent typographical errors.

Security researcher RussianPanda identified the notifications as linked to the Cosmali Loader malware, capable of disseminating cryptomining utilities and the XWorm remote access trojan (RAT).

Although the source of the warning messages remains unknown, it is speculated that a well-intentioned researcher accessed the malware control panel to alert users of the compromise.

MAS, an open-source suite of PowerShell scripts, facilitates the automated activation of Microsoft Windows and Office through HWID activation, KMS emulation, and various bypass methods like Ohook and TSforge.

Despite its open-source nature, Microsoft views MAS as a piracy tool that circumvents legitimate licensing mechanisms to activate products without proper authorization.

The project maintainers cautioned users about the campaign and advised them to verify commands before execution.

Users are encouraged to exercise caution when executing remote code, comprehend its functionality, test in a secure environment, and avoid retyping commands to mitigate risks associated with accessing malicious content from deceptive domains.

Unauthorized Windows activation tools have frequently been exploited for malware distribution, underscoring the importance of user vigilance and discretion when utilizing such software.

Addressing broken Identity and Access Management (IAM) practices is crucial as its repercussions extend beyond IT to impact the entire organization.

This comprehensive guide outlines the shortcomings of traditional IAM approaches, showcases effective IAM strategies, and provides a practical checklist for devising a scalable IAM strategy.

Access the guide