Saturday, October 12, 2024
Homecyber securityHackers Weaponizing MS Office-Cracked Versions to Deliver Malware

Hackers Weaponizing MS Office-Cracked Versions to Deliver Malware

Published on

Malware protection

Attackers in South Korea are distributing malware disguised as cracked software, including RATs and crypto miners, and registering themselves with the Task Scheduler to ensure persistence. 

Even after removing the initial malware, the Task Scheduler triggers PowerShell commands to download and install new variants, which persists because the PowerShell commands keep changing, leaving unpatched systems vulnerable to information theft, proxy abuse, and cryptocurrency mining.  

Attack flow
Attack flow

Malicious actors are leveraging file-sharing platforms to distribute malware disguised as cracked MS Office, which retrieves the download URL and target platform during infection, potentially enabling them to tailor attacks and evade detection.  

- Advertisement - SIEM as a Service

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

Cybercriminals are distributing malware disguised as cracked software. The malware, developed in.NET, uses obfuscation to hide its malicious code, and initially, it accessed Telegram to retrieve a download URL. 

Newer versions contain two Telegram URLs and a Mastodon URL, each with a string linked to a Google Drive or GitHub URL.

The threat actor hides malicious PowerShell commands within these cloud storage locations, using Base64 encoding for further obfuscation, and once executed, these commands install additional malware strains. 

Commands encrypted in Base64
Commands encrypted in Base64

The updater malware, “software_reporter_tool.exe,”  leverages a PowerShell script to download and maintain persistence, which creates a malicious executable at “C:\ProgramData\KB5026372.exe” and uses a compromised 7zip installation (“C:\ProgramData\Google\7z.exe”) to decompress a password-protected archive from GitHub or Google Drive (password: “x”) by mirroring tactics from a previous campaign. 

Malware installation using 7z and PowerShell
Malware installation using 7z and PowerShell

Additionally, the updater registers itself with the Task Scheduler to ensure continuous operation after a reboot, and the scheduled task triggers the PowerShell script for further updates and potential malware installation. 

The attackers deployed Orcus RAT and XMRig on the compromised system.

Orcus RAT can steal information through keylogging, webcam, and screenshot capture, while XMRig mines cryptocurrency. 

 3Proxy’s configuration file
 3Proxy’s configuration file

XMRig is configured to stop mining when resource-intensive programs are running and to terminate processes competing for resources, such as security software installers, while 3Proxy is used to turn the infected machine into a proxy server by adding a firewall rule and injecting itself into a legitimate process. 

 A Korean security program unable to operate properly due to the AntiAV malware
 A Korean security program unable to operate properly due to the AntiAV malware

According to ASEC, PureCrypter downloads and executes further payloads, and AntiAV malware disrupts security products by modifying their configuration files.  

Attackers are distributing malware disguised as popular Korean software (Windows, MS Office, Hangul) through file-sharing sites, and the malware bypasses file detection with frequent updates and utilizes the Task Scheduler for persistence, leading to repeated infections upon removal. 

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...