Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label pirated software. Show all posts

Pirated Microsoft Office Distributes a Malware Cocktail to Infiltrates Systems

 

The hackers are distributing a malware cocktail via cracked versions of Microsoft Office marketed on torrent websites. Malware distributed to customers includes remote access trojans (RATs), cryptocurrency miners, malware downloaders, proxy tools, and anti-AV programs. 

The AhnLab Security Intelligence Centre (ASEC) has recognised the ongoing attempt and warns against the risks of downloading unauthorised software. Korean researchers identified that the attackers employ a variety of lures, including Microsoft Office, Windows, and the Hangul Word Processor, which is popular in Korea. 

MS Office to malware 

The cracked Microsoft Office installer has a well-designed UI that allows users to choose the version they wish to install, the language, and whether to use 32- or 64-bit versions. 

However, in the background, the installer launches an obfuscated.NET malware that contacts a Telegram or Mastodon channel to obtain a valid download URL from which it will download other components. The URL refers to Google Drive or GitHub, both of which are reliable websites that are unlikely to trigger AV warnings. 

The malware component 'Updater' registers tasks in the Windows Task Scheduler to make sure they persist between system reboots. According to ASEC, the malware installs the following forms of malware on the compromised system: 

Orcus RAT: Provides extensive remote control, such as keylogging, webcam access, screen capture, and system modification for data exfiltration. 

XMRig: It is a cryptocurrency miner that exploits system resources to mine Monero. It halts mining during periods of high resource demand, such as while the victim is gaming, to avoid detection. 

3Proxy: Turns infected systems into proxy servers by opening port 3306 and inserting it into normal processes, allowing attackers to redirect malicious traffic. 

Even if the user detects and wipes any of the aforementioned malware, the 'Updater' module, which runs at system launch, will reintroduce it. Users should exercise caution when installing files downloaded from suspicious sources, and they should avoid using pirated/cracked software. 

Similar advertisements have been used to promote the STOP ransomware, which is the most active ransomware operation targeting consumers. Because these files are not digitally signed and users are willing to disregard antivirus warnings when launching them, they are frequently used to infect systems with malware, in this case a whole set.

Here is Another Powerful Case Against Using Pirated Software

Downloading unlicensed software can save you a few dollars, but you risk losing much more because researchers have found a cryptocurrency-targeting info stealer hiding within the cracks. "RisePro" is a brand-new piece of information-stealing malware that was discovered by two different cybersecurity companies, Flashpoint and Sekoia.

RisePro is disseminated via websites that also house cracked software, loaders, and other illegal content, and it infects endpoints using the pay-per-install (PPI) malware distribution tool PrivateLoader. 

Researchers found that RisePro and PrivateLoader are very similar, leading them to believe that the malware distribution platform now has its own info stealer. Furthermore, they determined that it makes use of the similar system of embedded DLL dependencies, suggesting that Vidar served as its likely foundation.

Google Chrome, Firefox (and 30 other browsers), Authenticator, MetaMask, and Coinbase are just a few of the many browsers, browser extensions, and cryptocurrency wallets that RisePro searches through for data (and 26 other browser extensions). Furthermore, it can scan filesystem directories for valuable data, such as those containing credit card information, and steal information from Discord, Battle.net, and Authy Desktop.

Flashpoint claims that in Russian dark web markets, criminals have already begun to sell RisePro logs containing sensitive, personally identifiable information. By communicating with their Telegram bot, threat actors who are interested in purchasing the logs or the tool itself can do so over the messaging app.

PrivateLoader is a pay-per-install malware distribution business, according to the researchers, that frequently masquerades as a software crack or keygen. RedLine Stealer or Raccoon, two extremely well-liked infostealers in the cybercrime community, were the only ones that PrivateLoader provided up to this point.

The best defense against such risks is to avoid downloading unauthorized stuff in the first place and to only obtain software from reliable, trustworthy sources. A powerful antivirus program is also suggested.

Think Twice Before Downloading Pirated Software, Your Private Details Might Be at Risk

 

Purchasing software can be expensive, especially for those who have tight pockets. Many students and researchers find themselves in tough situations due to those costs. Some then turn to pirated software. However, it takes a heavy toll on software designers as their work is stolen from them. 

The issue with carrying out a pirated software download is that it consists of any titles used outside the permission parameters provided by the developer or distributor. That could mean using a cheaply made and illegally copied version. The cracked version is often embedded with malware as it allows the threat actors to compromise large numbers of personal computers and access the number of stolen credentials with ease. Here are some of the risks of downloading and using illegal software. 

Malicious content

Downloading pirated software can pose serious security risks, especially for those who use their computers for activities like banking, shopping, and submitting health insurance. Recently, cybersecurity experts uncovered evidence of illegitimate software key generators and cracked platforms containing ransomware that stole users’ passwords. 

According to a report by security firm Cybereason, one cracked software can affect more than 500,000 machines. Additionally, a study from the Digital Citizens Alliance discovered that one-third of pirated software contained malware. It also identified that software downloaded from illegal sources was 28 times more likely to contain malware than software downloaded from legitimate sources. 

Legitimacy issues 

Downloading pirated software is a punishable offense in almost every country around the globe. It is considered a violation of software copyright law and the punishment for violating the local copyright laws depends on the country in which the people concerned are being charged. 

Another major consequence is that you may be blocked by the software provider temporarily or permanently. For instance, if you pirate a copy of Adobe Photoshop, then Adobe could block you from using any of their software in the future. Particularly, if you rely on this software for your work, this could cause a serious problem.

Lack of updates 

The biggest ramification of using pirated software is the lack of updates. For legitimate software, manufacturers roll out timely updates not only to add new features but also to patch existing vulnerabilities in the software code. However, this is not feasible in the case of pirated software. Downloading a cracked version deprives you of new features and functionalities and also leaves you vulnerable to attackers due to issues in existing codes.

Pirated Software Used To Distribute Malware

 

Another persistent operation has now been discovered by researchers that employ a network of websites that function as a "dropper as a service" to distribute a package of malware payloads to users looking for a "cracked" version of the popular business and consumer programs. Such malware incorporates numerous sorts of click scam bots, data stealers, and sometimes even ransomware. 

The cyberattack operates by exploiting several WordPress-hosted lure pages containing "download" links to software applications, which, once clicked by the user, redirect the person to a third party website which distributes potentially unwanted browser plug-ins and malware, including installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, and a wide range of malevolent cryptocurrency miners that pretend to be an antivirus software for the system. 

"Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts," the Sophos researchers said. "If the users click the alerts, they're directed through a series of websites until they arrive at a destination that's determined by the visitor's operating system, browser type, and geographic location." 

Links to the web pages appear at the top of search results whenever a user searches for illegal copies of a comprehensive range of software apps using strategies such as search engine optimization. These actions, which are thought to be the result of an illicit marketplace for paid download services, enable entry-level cybercriminals to establish and customize operations depending on the geographic targeting. 

Traffic exchanges, as the allocation infrastructure is also known, generally require a Bitcoin payment before associates can start creating accounts and begin disseminating installers, with web pages like InstallBest providing advice on "best practices," like advising against the use of Cloudflare-based servers for downloaders, along with URLs within Discord's CDN, Bitbucket, or other cloud platforms. 

In addition, the researchers discovered several companies that, rather than providing their particular malware delivery networks, function as "go-betweens" to established malvertising networks that compensate website owners for traffic. 

Earlier in June, a cryptocurrency miner known as Crackonosh was discovered misusing the technique to download a coin miner software known as XMRig to silently compromise the affected host's resources to mine Monero. A month later, the criminals behind MosaicLoader malware were discovered targeting people looking for pirated software as part of an international attempt to install a fully-featured backdoor susceptible to hooking vulnerable Windows systems into a botnet.

'Vigilante Malware' Blocks Users From Downloading Pirated Software

 

Scientists have unearthed one of the most abnormal findings in the malware chronicles. It is a booby trap file that attempts to make the downloader a mouse and try to prevent future unauthorized downloads. 

Andrew Brandt, Sophos Labs Principal Investigator named the malware ‘Vigilante’. When the victim downloads and runs what appears to be pirated software or games, it gets installed. Behind the scenes, the malware reports the filename that was executed to an attacker-controlled server, along with the IP address of the victims’ computers. Lastly, Vigilante attempts to modify the victim’s computer to make piratebay.com and 1,000 other pirate sites inaccessible.

As web servers normally log a visitor's IP address, the hacker now has the access to both the pirate's IP address and the name of the software or movie that the victim attempted to use. While it is unknown what this information is used for, the attackers could share it with ISPs, copyright agencies, or even law enforcement agencies. 

“It’s really unusual to see something like this because there’s normally just one motive behind most malware: stealing stuff. Whether that’s passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals,” Brandt explained. 

Vigilante updates files on infected computers and hijacks them from connecting to The Pirate Bay and other Internet destinations known to be used by people who trade pirated software. Brandt has discovered some of the Trojans lurking in software packages available for Discord-hosted chat services. He found others disguised as popular games, productivity tools, and security products available through BitTorrent. 

“Pading an archive with a purposeless file of random length is an easy way to change the hash value of the archive. Filling it with a racist slur taught me everything I needed to know about its creator,” Brandt wrote on Twitter. 

Since Vigilante does not have a persistence technique, it means it has no solution to stay put in. Users who have been infected only want to edit their Hosts files to be disinfected. There are other strange things – Many Trojanized executable files are digitally signed using fake code signing tools. The signature contains a randomly generated 18-character uppercase and lowercase.

Microsoft Sues IP Address for Windows, Office Piracy

Microsoft has filed a lawsuit against an individual IP address that was reportedly attempting to activate a pirated version of Windows and Office. The IP address points to a Comcast office in New Jersey and is accused of trying to activate over 1,000 copies of the software.

It is unclear who the complaint is filed against as the lawsuit mentions “John Does 1-10” and the IP address (73.21.204.220).

The full complaint can be seen below.

“During the software activation process, Defendants contacted Microsoft activation servers in Washington over 2800 times from December 2014 to July 2017, and transmitted detailed information to those servers in order to activate the software,” Microsoft claims in the complaint.

Microsoft is suing for both copyright and trademark infringement and has asked the court to seize all copies of the unlicensed software.