close
close

Korean researchers spot malware in pirated copies of Office

Posted on by darion

South Korean researchers observed malicious use of pirated copies and cracked activators of legitimate office programs such as Hangul Word Processor and Microsoft Office to disguise malicious programs.

The malware maintains persistence by scheduling regular updates to affected systems, leading to consistent installation of newer malware variants several times a week.

Malicious pirated copies of Microsoft Office and other programs

AhnLab researchers discovered that attackers were creating and distributing malicious copies of popular software utilities. These copies were distributed via popular file-sharing platforms and torrent sites. This operation takes advantage of users who want to obtain free copies of the software without paying the required license fee.

Once downloaded and run, the programs usually look like convincing cracked installers or activators for programs such as Microsoft Office or the Hangul text editor. Although the initial downloader was developed in .NET, attackers appear to have moved on to more obfuscated attack techniques.

The malware downloads instructions for the next stage of the attack from Telegram or Mastodon channels operated by the attackers. These channels contain Base64 encrypted strings leading to Google Drive or GitHub URLs where the malicious payloads reside.

These malicious payloads are downloaded and decrypted using the legitimate archiving tool 7-zip, which is widely present on systems and takes up little space. Researchers found that the decrypted payloads contained PowerShell instructions to load and execute additional malware components on the victim’s system.

The following types of malware reach infected systems:

  • OrcusRat: Remote access Trojan with extensive capabilities such as keystroke logging, webcam access, and remote screen control.
  • XMRig cryptocurrency miner: Configured to stop exploration when resource-intensive applications are running to avoid detection. It also kills competing mining companies and security products.
  • 3Proxies: It blends into legitimate processes to open a backdoor proxy server.
  • PureCrypter: Downloads and executes additional malicious payloads from attacker-controlled servers.
  • AntiAV: It disrupts the operation of security products by repeatedly modifying their configuration files.

The commands include an updater that contains instructions to maintain persistence on the system using the native Windows Task Scheduler available in the Windows operating system. The C&C server addresses provided by researchers also indicate that they were disguised as a Minecraft RPG server.

Continuous reinfection and distribution

The researchers said systems can remain infected even after the initial infection is removed due to the malware’s ability to update itself as well as download additional malware payloads. They found that the attackers were spreading new malware on affected systems several times a week to bypass file detection.

Researchers found that the number of systems affected by these attacks continued to increase as logged job scheduler entries loaded additional malicious components into affected systems despite the removal of previous malware.

Researchers advised South Korean users to download software and programs from official sources rather than file-sharing websites. Users who suspect that their systems may already be infected should delete the associated task scheduler entries to block the download of additional malware components and update their antivirus software to the latest available version.

Researchers also released indicators of compromise, categories detected as flagged in the attack, MD5 hashes of files used in the attack, associated C&C server addresses, and suspicious behavior observed during the attack.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for informational purposes only and users bear full responsibility for any reliance placed on it. Cyber ​​Express is not responsible for the accuracy or consequences of the use of this information.