Pirated Copies of Microsoft Office Used to Distribute Frequent Malware in South Korea
31 May 2024 at 10:26
South Korean researchers have observed the malicious use of pirated copies and cracked activators of legitimate productivity and office utility programs such as Hangul Word Processor and Microsoft Office to disguise malicious programs.
The malware maintains persistence by scheduling regular upgrades on affected systems, leading to consistent installation of newer strains of the malware multiple times every week.
Malicious Pirated Copies of Microsoft Office and Other Programs
Researchers from AhnLab discovered that attackers have been creating and distributing malicious copies of popular utility software. These copies were distributed through common file-sharing platforms and torrent websites. The operation takes advantage of users looking to obtain free copies of software without paying the required license fee. When downloaded and executed, the programs usually appear as convincing cracked installers or activators for programs such as Microsoft Office or the Hangul word processor. While the initial downloader was developed in .NET, the attackers appear to have moved to more obfuscated attack techniques. The malware retrieves its instructions for the next stage of its attack from Telegram or Mastodon channels operated by the attackers. These channels contain encrypted Base64 strings that lead to Google Drive or GitHub URLs that host the malicious payloads. These malicious payloads are downloaded and decrypted through the use of the legitimate 7-zip archive utility that is commonly present on systems and operates with low footprint. Researchers discovered that the decrypted payloads contained PowerShell instructions to load and execute additional malware components on the victim's system. The malware strains loaded on the infected systems include:- OrcusRAT: A remote access trojan with extensive capabilities like keylogging, webcam access, and remote screen control.
- XMRig Cryptominer: Configured to stop mining when resource-intensive apps are running to avoid detection. Also kills competing miners and security products.
- 3Proxy: Injects itself into legitimate processes to open a backdoor proxy server.
- PureCrypter: Fetches and runs additional malicious payloads from attacker-controlled servers.
- AntiAV: Disrupts security products by repeatedly modifying their configuration files.