Article Details
Scrape Timestamp (UTC): 2024-05-30 20:55:29.807
Original Article Text
Click to Toggle View
Pirated Microsoft Office delivers malware cocktail on systems. Cybercriminals are distributing a malware cocktail through cracked versions of Microsoft Office promoted on torrent sites. The malware delivered to users includes remote access trojans (RATs), cryptocurrency miners, malware downloaders, proxy tools, and anti-AV programs. AhnLab Security Intelligence Center (ASEC) has identified the ongoing campaign and warns about the risks of downloading pirated software. The Korean researchers discovered that the attackers use multiple lures, including Microsoft Office, Windows, and the Hangul Word Processor, which is popular in Korea. Microsoft Office to malware The cracked Microsoft Office installer features a well-crafted interface, letting users select the version they want to install, the language, and whether to use 32 or 64-bit variants. However, in the background, the installer launches an obfuscated .NET malware that contacts a Telegram or Mastodon channel to receive a valid download URL from where it will fetch additional components. The URL points to Google Drive or GitHub, both legitimate services that are unlikely to trigger AV warnings. The base64 payloads hosted on those platforms contain PowerShell commands that introduce a range of malware strains to the system, unpacked using 7Zip. The malware component 'Updater' registers tasks in the Windows Task Scheduler to ensure it persists between system reboots. According to ASEC, the following types of malware are installed by the malware on the breached system: Even if the user discovers and removes any of the above malware, the 'Updater' module, which executes upon system launch, will re-introduce it. Users should be cautious when installing files downloaded from dubious sources and generally avoid pirated/cracked software. Similar campaigns have been used to push STOP ransomware, which is the most active ransomware operation targeting consumers. As these files are not digitally signed and users are prepared to ignore antivirus warnings when running them, they are often used to infect systems with malware, in this case, an entire set.
Daily Brief Summary
Cybercriminals are using cracked versions of Microsoft Office from torrent sites to distribute a variety of malicious software.
The malware package includes remote access trojans, cryptocurrency miners, and tools to disable anti-virus programs.
AhnLab Security Intelligence Center has highlighted the risks associated with using pirated software and identified this as an ongoing campaign.
The infected Microsoft Office installer allows users to choose various installation options while secretly installing malware via a .NET framework in the background.
The malware communicates with servers using legitimate platforms like Telegram and Mastodon to avoid detection and fetches further malicious payload from Google Drive or GitHub.
Installed malware ensures persistence by registering tasks in the Windows Task Scheduler, which reinstalls the malware even if initially removed.
The incident underscores the dangers of downloading software from unreliable sources and the importance of maintaining legitimate software licenses.