Researchers at AhnLab Security Intelligence Center (ASEC) have identified an ongoing campaign that distributes malware cocktails through cracked versions of MS Office and Windows downloaded from torrent websites.
The attackers distributed various malware strains to Korean users, such as downloaders, CoinMiner, remote access trojans (RATs), Proxy, and AntiAV.
Under the guise of cracked versions of legitimate programs like Windows, MS Office, and Hangul Word Processor, a tool popular in Korea.
The Researchers Said This
The Korean researchers, in their report, say that threat actors have been upgrading their malware by registering to the Task Scheduler in the infected system, which executes PowerShell commands to install the malware.
If the Task Scheduler is not remediated, new malware strains are repeatedly installed on the system.
However, users who have installed V3 do not experience issues with repeated malware installations, as V3 remediates the tasks installed by the malware.
Since the installed malware strains include a type that runs updates, the infection continues to persist even after blocking the previous URL, as the PowerShell commands registered to the Task Scheduler change constantly.
As a result, the attacker gains control of the infected Korean systems and utilizes them as proxies or to mine cryptocurrency, thereby putting users’ sensitive information at risk of theft.
The report further adds that a recently detected malware distribution case disguised as a cracked version of MS Office was developed using .NET and recently found to be obfuscated.
Before the obfuscation, it followed the format below and obtained the download URL by accessing Telegram after its initial execution.
The recently distributed malware consisted of two Telegram URLs and one Mastodon URL, each of which included a string used in the Google Drive or GitHub URL for each profile.
Further, the data downloaded from GitHub and Google Drive were strings encrypted in Base64, which, upon decryption, were actually PowerShell commands responsible for installing various malware strains.
The ASEC researchers say that the malware that has been found to be installed on the breached system are:
- Orcus RAT: Supports basic remote control features, such as system information collection, command execution, and tasks for files, registries, and processes. It also provides information exfiltration functions using keylogging and webcams.
- XMRig: It halts mining when the system executed programs occupy a considerable amount of system resources, such as games, hardware monitoring utilities, and programs for graphics processing, so as to avoid detection.
- 3Proxy: An open-source tool equipped with a proxy server feature that adds the 3306 port to the firewall rule, and injects 3Proxy into the legitimate process, allowing the threat actor to abuse the infected system as a proxy.
- PureCrypter: Downloads and executes additional payload from external sources.
- AntiAV: Disrupts and prevents a security program from operating properly by constantly modifying its configuration file inside the installation folder whenever the program is executed, thereby leaving the system vulnerable to the operation of the other components.
- Updater: Responsible for downloading and maintaining the persistence of the malware. It also registers to the Task Scheduler to enable itself to operate persistently even after a system reboot.
Users are recommended to exercise caution when downloading pirated or cracked software from suspicious sources to avoid the risk of infecting their devices.
