Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Illegal Sites. Show all posts

Pirated Microsoft Office Distributes a Malware Cocktail to Infiltrates Systems

 

The hackers are distributing a malware cocktail via cracked versions of Microsoft Office marketed on torrent websites. Malware distributed to customers includes remote access trojans (RATs), cryptocurrency miners, malware downloaders, proxy tools, and anti-AV programs. 

The AhnLab Security Intelligence Centre (ASEC) has recognised the ongoing attempt and warns against the risks of downloading unauthorised software. Korean researchers identified that the attackers employ a variety of lures, including Microsoft Office, Windows, and the Hangul Word Processor, which is popular in Korea. 

MS Office to malware 

The cracked Microsoft Office installer has a well-designed UI that allows users to choose the version they wish to install, the language, and whether to use 32- or 64-bit versions. 

However, in the background, the installer launches an obfuscated.NET malware that contacts a Telegram or Mastodon channel to obtain a valid download URL from which it will download other components. The URL refers to Google Drive or GitHub, both of which are reliable websites that are unlikely to trigger AV warnings. 

The malware component 'Updater' registers tasks in the Windows Task Scheduler to make sure they persist between system reboots. According to ASEC, the malware installs the following forms of malware on the compromised system: 

Orcus RAT: Provides extensive remote control, such as keylogging, webcam access, screen capture, and system modification for data exfiltration. 

XMRig: It is a cryptocurrency miner that exploits system resources to mine Monero. It halts mining during periods of high resource demand, such as while the victim is gaming, to avoid detection. 

3Proxy: Turns infected systems into proxy servers by opening port 3306 and inserting it into normal processes, allowing attackers to redirect malicious traffic. 

Even if the user detects and wipes any of the aforementioned malware, the 'Updater' module, which runs at system launch, will reintroduce it. Users should exercise caution when installing files downloaded from suspicious sources, and they should avoid using pirated/cracked software. 

Similar advertisements have been used to promote the STOP ransomware, which is the most active ransomware operation targeting consumers. Because these files are not digitally signed and users are willing to disregard antivirus warnings when launching them, they are frequently used to infect systems with malware, in this case a whole set.

Pay to Play PrivateLoader Disseminates Smokeloader, Redline &Vidar malware

 

An investigation at a pay-per-install loader has revealed its role in the distribution of famous malware variants including Smokeloader and Vidar. 

Intel 471 issued a report on PrivateLoader on Tuesday, analyzing cyberattacks that have used the loader since May 2021. The pay-per-install (PPI) malware service has been around for a time, but it's unclear who is responsible for its creation. Additional payloads are deployed on a target machine using loaders. 

PrivateLoader is a variation that is supplied to criminal customers on an installation basis, with payment based on the number of victims captured. PrivateLoader is managed by a collection of command-and-control (C2) servers and an AdminLTE 3-based administrator panel. 

Adding new users, configuring the loader to install a payload, picking target regions and nations, setting up payload download links, encryption, and selecting browser extensions for infecting target devices are all available through the front-end panel. 

The loader is mainly distributed through websites that sell pirated software. Cracked copies of popular software, which are occasionally included with key generators, are illegal versions of software that have been modified to avoid licencing or payment. On websites, download buttons for cracked software are included with JavaScript, which releases the payload in a.ZIP archive. 

The package contained a malicious executable, according to the cybersecurity firm's findings. A false GCleaner load reseller, PrivateLoader, and Redline are among the malware that is triggered by .exe file. 

Since at least May 2021, the PrivateLoader module has been used to run Smokeloader, Redline, and Vidar. Smokeloader is the most well-known of these malware families. Smokeloader is a distinct loader that can also be utilized for data theft and reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware that can steal data from a variety of data types, including passwords, documents, and digital wallet details. 

A distribution link for Smokeloader also signals a possible connection to the Qbot banking Trojan. The Kronos banking Trojan and the Dridex botnet have both been disseminated using PrivateLoader bots. 

Although PrivateLoader isn't particularly linked to the distribution of ransomware, a loader associated with it, known as Discoloader, has been used in assaults aimed at spreading the malware. 

The researchers stated, "PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them with a wide array of options to easily achieve their goals. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader."