Cybercriminals distribute a combination of malware through cracked versions of Microsoft Office on torrent sites. AhnLab Security Intelligence Center (ASEC) has identified this ongoing activity and warns of the risks associated with downloading pirated software.
Attackers use various baits including Microsoft Office, Windows, and the popular Hangul Word Processor in South Korea. The cracked Microsoft Office installer features a meticulously designed interface allowing users to select versions, languages, and 32-bit or 64-bit variants. However, in the background, the installer initiates obfuscated .NET malware.
This malware fetches valid download URLs from Telegram or Mastodon channels and downloads additional components from legitimate services like Google Drive or GitHub. These base64 payloads contain PowerShell commands introducing various malware into the system and utilizing 7Zip for extraction.
The following types of malware are installed on compromised systems:
Orcus RAT: Enables comprehensive remote control, including keylogging, accessing webcams, screen capturing, and system operations for data exfiltration.
XMRig: Cryptocurrency miner that utilizes system resources to mine Monero, suspending mining during periods of high resource usage to avoid detection.
3Proxy: Converts infected systems into proxy servers by opening port 3306 and injecting into legitimate processes, allowing attackers to route malicious traffic.
PureCrypter: Downloads and executes additional malicious payloads from external sources, ensuring the system remains infected with the latest threats.
AntiAV: Disables and disrupts security software by modifying configuration files, leaving the system vulnerable to other malicious components. Even if users discover and remove any of the aforementioned malware, the “Updater” module executes on system startup, reintroducing them.
Users should exercise caution when installing files downloaded from suspicious sources and generally avoid the use of pirated or cracked software. Similar activities have been used to spread STOP ransomware, one of the most active ransomware operations targeting consumers. Due to the lack of digital signatures, users often ignore antivirus warnings during execution, leading to system infection with a complete suite of malware.
