The hackers are distributing a malware cocktail via cracked versions of Microsoft Office marketed on torrent websites. Malware distributed to customers includes remote access trojans (RATs), cryptocurrency miners, malware downloaders, proxy tools, and anti-AV programs.
The AhnLab Security Intelligence Centre (ASEC) has recognised the ongoing attempt and warns against the risks of downloading unauthorised software. Korean researchers identified that the attackers employ a variety of lures, including Microsoft Office, Windows, and the Hangul Word Processor, which is popular in Korea.
MS Office to malware
The cracked Microsoft Office installer has a well-designed UI that allows users to choose the version they wish to install, the language, and whether to use 32- or 64-bit versions.
However, in the background, the installer launches an obfuscated.NET malware that contacts a Telegram or Mastodon channel to obtain a valid download URL from which it will download other components. The URL refers to Google Drive or GitHub, both of which are reliable websites that are unlikely to trigger AV warnings.
The malware component 'Updater' registers tasks in the Windows Task Scheduler to make sure they persist between system reboots. According to ASEC, the malware installs the following forms of malware on the compromised system:
Orcus RAT: Provides extensive remote control, such as keylogging, webcam access, screen capture, and system modification for data exfiltration.
XMRig: It is a cryptocurrency miner that exploits system resources to mine Monero. It halts mining during periods of high resource demand, such as while the victim is gaming, to avoid detection.
3Proxy: Turns infected systems into proxy servers by opening port 3306 and inserting it into normal processes, allowing attackers to redirect malicious traffic.
Even if the user detects and wipes any of the aforementioned malware, the 'Updater' module, which runs at system launch, will reintroduce it. Users should exercise caution when installing files downloaded from suspicious sources, and they should avoid using pirated/cracked software.
Similar advertisements have been used to promote the STOP ransomware, which is the most active ransomware operation targeting consumers. Because these files are not digitally signed and users are willing to disregard antivirus warnings when launching them, they are frequently used to infect systems with malware, in this case a whole set.