Cybercriminals are distributing a malware cocktail through cracked versions of Microsoft Office promoted on torrent sites.
The malware delivered to users includes remote access trojans, cryptocurrency miners, malware downloaders, proxy tools, and anti-AV programs.
AhnLab Security Intelligence Center has identified the ongoing campaign and warns about the risks of downloading pirated software.
The Korean researchers discovered that the attackers use multiple lures, including Microsoft Office, Windows, and the Hangul Word Processor, which is popular in Korea.
The cracked Microsoft Office installer features a well-crafted interface, letting users select the version they want to install, the language, and whether to use 32 or 64-bit variants.
In the background, the installer launches an obfuscated.
NET malware that contacts a Telegram or Mastodon channel to receive a valid download URL from where it will fetch additional components.
The base64 payloads hosted on those platforms contain PowerShell commands that introduce a range of malware strains to the system, unpacked using 7Zip.
The malware component 'Updater' registers tasks in the Windows Task Scheduler to ensure it persists between system reboots.
Orcus RAT: Enables comprehensive remote control, including keylogging, webcam access, screen capture, and system manipulation for data exfiltration.
XMRig: Cryptocurrency miner that uses system resources to mine Monero.
3Proxy: Converts infected systems into proxy servers by opening port 3306 and injecting them into legitimate processes, allowing attackers to route malicious traffic.
PureCrypter: Downloads and executes additional malicious payloads from external sources, ensuring the system remains infected with the latest threats.
AntiAV: Disrupts and disables security software by modifying its configuration files, preventing the software from operating correctly and leaving the system vulnerable to the operation of the other components.
Even if the user discovers and removes any of the above malware, the 'Updater' module, which executes upon system launch, will re-introduce it.
Users should be cautious when installing files downloaded from dubious sources and generally avoid pirated/cracked software.
As these files are not digitally signed and users are prepared to ignore antivirus warnings when running them, they are often used to infect systems with malware, in this case, an entire set.
Malware botnet bricked 600,000 routers in mysterious 2023 attack.
Police seize over 100 malware loader servers, arrest four cybercriminals.
Over 90 malicious Android apps with 5.5M installs found on Google Play.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 May 2024 20:55:16 +0000