Researchers have spotted a new malware campaign in the wild targeting Office users. As observed, criminal hackers lure users into downloading a bundle of different malware via cracked Microsoft Office versions.
Hackers Infect Users’ Machines With Malware Bundle Via Cracked Microsoft Office
As elaborated in a recent post from the AhnLab Security Intelligence Center (ASEC), their researchers observed a peculiar malware campaign targeting victims with multiple threats simultaneously.
Specifically, the malware campaign exploits cracked Microsoft Office copies to lure users via torrent and other file-sharing sites. While the files seem legit, the installers include an additional process to acquire the download URL via the Telegram or Mastodon channel. This URL often links to GitHub or Google Drive (both legit services). In this way, the malware succeeds in escaping antivirus detection.
After downloading the file, the installation process also seems legit as the malware sneakily installs itself together with all the relevant MS Office software files.
The malware, developed in .NET, also exhibits heavy obfuscation, hiding PowerShell commands that manage the download of various malware strains. These malware are decompressed using 7zip (another legitimate file archiving tool). These malware types include,
- Orcus RAT: A remote access trojan that collects system information, schedules tasks for files, processes, and registries, executes commands, performs keylogging, manages screen control, and access cameras to steal more data.
- XMRig: A known crypto-mining malware that exploits system hardware resources for crypto-mining. It also maintains stealth activity by stopping mining during resource-intensive activities and killing processes for security tools like antivirus.
- 3proxy: An open-source proxy server tool that opens port 3306, allowing the attacker to abuse the target system as a proxy server.
- PureCrypter: Downloads and executes other malicious payloads.
- AntiAV: As evident via the name, an anti-antivirus component that disrupts the operations of any security software running on the target device.
- Updater malware: The Updater (software_reporter_tool.exe) ensures persistence by registering tasks to the Task Scheduler even after a system restart. It also reinstalls any malware following manual detection and removal from the target user.
Avoid Pirated Software To Prevent The Threat
While the campaign appears highly sneaky, the best and most viable way to prevent this threat is to avoid downloading cracked/pirated software. Though it seems costly, considering the security risks and potential damages following malware attacks, it’s worth the money.
Let us know your thoughts in the comments.