Korean Researchers Observe Malware In Pirated Copies Of Office

The malware has been observed downloading newer malware strains and additional malware components on affected systems multiple times a week.

by Alan J May 31st, 2024

Share on LinkedInShare on Twitter

South Korean researchers have observed the malicious use of pirated copies and cracked activators of legitimate productivity and office utility programs such as Hangul Word Processor and Microsoft Office to disguise malicious programs.

The malware maintains persistence by scheduling regular upgrades on affected systems, leading to consistent installation of newer strains of the malware multiple times every week.

Malicious Pirated Copies of Microsoft Office and Other Programs

Researchers from AhnLab discovered that attackers have been creating and distributing malicious copies of popular utility software. These copies were distributed through common file-sharing platforms and torrent websites. The operation takes advantage of users looking to obtain free copies of software without paying the required license fee.

When downloaded and executed, the programs usually appear as convincing cracked installers or activators for programs such as Microsoft Office or the Hangul word processor. While the initial downloader was developed in .NET, the attackers appear to have moved to more obfuscated attack techniques.

The malware retrieves its instructions for the next stage of its attack from Telegram or Mastodon channels operated by the attackers. These channels contain encrypted Base64 strings that lead to Google Drive or GitHub URLs that host the malicious payloads.

These malicious payloads are downloaded and decrypted through the use of the legitimate 7-zip archive utility that is commonly present on systems and operates with low footprint. Researchers discovered that the decrypted payloads contained PowerShell instructions to load and execute additional malware components on the victim’s system.

The malware strains loaded on the infected systems include:

  • OrcusRAT: A remote access trojan with extensive capabilities like keylogging, webcam access, and remote screen control.
  • XMRig Cryptominer: Configured to stop mining when resource-intensive apps are running to avoid detection. Also kills competing miners and security products.
  • 3Proxy: Injects itself into legitimate processes to open a backdoor proxy server.
  • PureCrypter: Fetches and runs additional malicious payloads from attacker-controlled servers.
  • AntiAV: Disrupts security products by repeatedly modifying their configuration files.

The commands include an updater that contains instructions to maintain persistence over the system through the use of the native Windows Task Scheduler present on the Windows operating system. C&C server addresses shared by the researchers also indicate that they have been disguised as a minecraft rpg server.

Continuous Reinfection and Distribution

The researchers said systems may remain infected even after the initial infection has been removed, due to the malware’s ability to update itself as well as download additional malware payloads. They stated that the attackers had distributed new malware on affected systems multiple times each week to bypass file detection.

The researchers said the number of systems that had been compromised in these attacks continued to increase as the registered task scheduler entries loaded additional malicious components on affected systems despite the removal of previous underlying malware.

The researchers advised South Korean users to download software and programs from their official sources rather than file-sharing sites. Users who suspect that their systems may already have been infected should remove associated task scheduler entries to block the download of additional malware components, and update their antivirus software to the latest available versions.

The researchers have additionally shared indicators of compromise, categories that have been detected as flagged in the attack, MD5 hashes of files used in the attack, associated C&C server addresses, and suspicious behaviors that have been observed during the attack.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button