Pirated Microsoft Office delivers malware cocktail on systems
Summary:
AhnLab Security Intelligence Center is warning of an ongoing campaign where cybercriminals are distributing various malware strains by promoting installers for cracked versions of Microsoft Office on torrent sites. The cracked Microsoft Installer comes with a well-built interface, where users can specify the version they want to install, the language, as well as whether to use 32 or 64-bit variants. While the user is distracted, the installer will launch a .NET malware designed to contact a Telegram or Mastodon channel to receive a valid download URL pointing to Google Drive or GitHub and fetch additional components. In this case, these platforms are being used to host base64 payloads which contain PowerShell commands designed to deploy the following different malware strains on targeted systems that are unpacked using 7Zip:
The utilization of legitimate services like GitHub and Google Drive entails an attempt to avoid detection from antivirus solutions. In the latest campaign, researchers note the use of an updater module that is deployed alongside the various other malware strains, designed to register tasks in the Windows Task Scheduler to ensure persistence access on targeted systems. This module is executed upon system launch. So in the event that the victim discovers and removes any of the malware, the module will re-introduce these strains on the targeted system.
Suggested Corrections:
In general, users should avoid clicking on sponsored ads that appear at the top of Google search results as threat actors can easily purchase these ads to promote sites hosting cracked software versions. When downloading software online, users should also ensure that it comes from a reputable source and not from third-party sites, as this can typically lead to malware infections. Software should also be scanned by anti-virus solutions for malicious executables prior to installation.
Link(s):
https://www.bleepingcomputer.com/ne...-office-delivers-malware-cocktail-on-systems/
AhnLab Security Intelligence Center is warning of an ongoing campaign where cybercriminals are distributing various malware strains by promoting installers for cracked versions of Microsoft Office on torrent sites. The cracked Microsoft Installer comes with a well-built interface, where users can specify the version they want to install, the language, as well as whether to use 32 or 64-bit variants. While the user is distracted, the installer will launch a .NET malware designed to contact a Telegram or Mastodon channel to receive a valid download URL pointing to Google Drive or GitHub and fetch additional components. In this case, these platforms are being used to host base64 payloads which contain PowerShell commands designed to deploy the following different malware strains on targeted systems that are unpacked using 7Zip:
- Orcus RAT: Enables comprehensive remote control, including keylogging, webcam access, screen capture, and system manipulation for data exfiltration.
- XMRig: Cryptocurrency miner that uses system resources to mine Monero. It halts mining during high resource usage, such as when the victim is gaming, to avoid detection.
- 3Proxy: Converts infected systems into proxy servers by opening port 3306 and injecting them into legitimate processes, allowing attackers to route malicious traffic.
- PureCrypter: Downloads and executes additional malicious payloads from external sources, ensuring the system remains infected with the latest threats.
- AntiAV: Disrupts and disables security software by modifying its configuration files, preventing the software from operating correctly and leaving the system vulnerable to the operation of the other components.
The utilization of legitimate services like GitHub and Google Drive entails an attempt to avoid detection from antivirus solutions. In the latest campaign, researchers note the use of an updater module that is deployed alongside the various other malware strains, designed to register tasks in the Windows Task Scheduler to ensure persistence access on targeted systems. This module is executed upon system launch. So in the event that the victim discovers and removes any of the malware, the module will re-introduce these strains on the targeted system.
Suggested Corrections:
In general, users should avoid clicking on sponsored ads that appear at the top of Google search results as threat actors can easily purchase these ads to promote sites hosting cracked software versions. When downloading software online, users should also ensure that it comes from a reputable source and not from third-party sites, as this can typically lead to malware infections. Software should also be scanned by anti-virus solutions for malicious executables prior to installation.
Link(s):
https://www.bleepingcomputer.com/ne...-office-delivers-malware-cocktail-on-systems/