South Korean researchers have observed the malicious use of pirated copies and cracked activators of legitimate productivity and office utility programs such as Hangul Word Processor and Microsoft Office to disguise malicious programs. The malware maintains persistence by scheduling regular upgrades on affected systems, leading to consistent installation of newer strains of the malware multiple times every week.

Malicious Pirated Copies of Microsoft Office and Other Programs

Researchers from AhnLab discovered that attackers have been creating and distributing malicious copies of popular utility software. These copies were distributed through common file-sharing platforms and torrent websites. The operation takes advantage of users looking to obtain free copies of software without paying the required license fee. When downloaded and executed, the programs usually appear as convincing cracked installers or activators for programs such as Microsoft Office or the Hangul word processor. While the initial downloader was developed in .NET, the attackers appear to have moved to more obfuscated attack techniques. The malware retrieves its instructions for the next stage of its attack from Telegram or Mastodon channels operated by the attackers. These channels contain encrypted Base64 strings that lead to Google Drive or GitHub URLs that host the malicious payloads. These malicious payloads are downloaded and decrypted through the use of the legitimate 7-zip archive utility that is commonly present on systems and operates with low footprint. Researchers discovered that the decrypted payloads contained PowerShell instructions to load and execute additional malware components on the victim's system. The malware strains loaded on the infected systems include:

• OrcusRAT: A remote access trojan with extensive capabilities like keylogging, webcam access, and remote screen control.
• XMRig Cryptominer: Configured to stop mining when resource-intensive apps are running to avoid detection. Also kills competing miners and security products.
• 3Proxy: Injects itself into legitimate processes to open a backdoor proxy server.
• PureCrypter: Fetches and runs additional malicious payloads from attacker-controlled servers.
• AntiAV: Disrupts security products by repeatedly modifying their configuration files.

The commands include an updater that contains instructions to maintain persistence over the system through the use of the native Windows Task Scheduler present on the Windows operating system. C&C server addresses shared by the researchers also indicate that they have been disguised as a minecraft rpg server.

Continuous Reinfection and Distribution

The researchers said systems may remain infected even after the initial infection has been removed, due to the malware's ability to update itself as well as download additional malware payloads. They stated that the attackers had distributed new malware on affected systems multiple times each week to bypass file detection. The researchers said the number of systems that had been compromised in these attacks continued to increase as the registered task scheduler entries loaded additional malicious components on affected systems despite the removal of previous underlying malware. The researchers advised South Korean users to download software and programs from their official sources rather than file-sharing sites. Users who suspect that their systems may already have been infected should remove associated task scheduler entries to block the download of additional malware components, and update their antivirus software to the latest available versions. The researchers have additionally shared indicators of compromise, categories that have been detected as flagged in the attack, MD5 hashes of files used in the attack, associated C&C server addresses, and suspicious behaviors that have been observed during the attack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

An anonymous reader quotes a report from Ars Technica: Some of the most infamous so-called shadow libraries have increasingly faced legal pressure to either stop pirating books or risk being shut down or driven to the dark web. Among the biggest targets are Z-Library, which the US Department of Justice has charged with criminal copyright infringement, and Library Genesis (Libgen), which was sued by textbook publishers last fall for allegedly distributing digital copies of copyrighted works "on a massive scale in willful violation" of copyright laws. But now these shadow libraries and others accused of spurning copyrights have seemingly found an unlikely defender in Nvidia, the AI chipmaker among those profiting most from the recent AI boom. Nvidia seemed to defend the shadow libraries as a valid source of information online when responding to a lawsuit from book authors over the list of data repositories that were scraped to create the Books3 dataset used to train Nvidia's AI platform NeMo. That list includes some of the most "notorious" shadow libraries -- Bibliotik, Z-Library (Z-Lib), Libgen, Sci-Hub, and Anna's Archive, authors argued. However, Nvidia hopes to invalidate authors' copyright claims partly by denying that any of these controversial websites should even be considered shadow libraries. "Nvidia denies the characterization of the listed data repositories as 'shadow libraries' and denies that hosting data in or distributing data from the data repositories necessarily violates the US Copyright Act," Nvidia's court filing said. The chipmaker did not go into further detail to define what counts as a shadow library or what potentially absolves these controversial sites from key copyright concerns raised by various ongoing lawsuits. Instead, Nvidia kept its response brief while also curtly disputing authors' petition for class-action status and defending its AI training methods as fair use. "Nvidia denies that it has improperly used or copied the alleged works," the court filing said, arguing that "training is a highly transformative process that may include adjusting numerical parameters including 'weights,' and that outputs of an LLM may be based, at least in part, on such 'weights.'" "Nvidia's argument likely depends on the court agreeing that AI models ingesting published works in order to transform those works into weights governing AI outputs is fair use," notes Ars. "However, authors have argued that 'these weights are entirely and uniquely derived from the protected expression in the training dataset' that has been copied without getting authors' consent or providing authors with compensation." "Authors suing Nvidia have taken the next step, linking the chipmaker to shadow libraries by arguing that 'these shadow libraries have long been of interest to the AI-training community because they host and distribute vast quantities of unlicensed copyrighted material. For that reason, these shadow libraries also violate the US Copyright Act.'"

Read more of this story at Slashdot.