Cracked versions of Microsoft Office deliver harmful malware cocktails into users’ systems.

According to the recent studies found by inspectors at the AhnLab Security Intelligence Center (ASEC), a group of cybercriminals has been identified distributing malware cocktails through the cracked versions of legitimate programs such as Windows, MS Office, etc. from torrent websites.

The attackers also spread malware cocktails through a famous tool used in Korea known as Hangul Word Processor.

The kinds of malware that are distributed by the cybercriminals includes CoinMiner, remote access trojans (RATs), malware downloaders, AntiAV programs, and Proxy.

The Intelligence Security researchers at the ASEC have warned users to be careful and refrain from downloading pirated software. Disguised as trusted sites such as Microsoft Office and Windows, these attackers have been distributing malware to Korean users.

How does it work?

The Microsoft Office installer offers a quality interface so that users can choose the version they want to install, the variant they want to use—32 or 64-bit—or the language.

The installer introduces complicated .NET malware in the background which contacts channels such as Telegram or Mastodon in order to get valid download URL. The URL indicates Google Drive and GitHub, all legitimate services that do not trigger any AV warnings.

‘Updater’ is a malware component that triggers operations in the Windows Task Scheduler to make sure the malware can persist even after the system reboots.

Types of malware:

The types of malware that were identified in the breached system include-

• Orcus RAT– this malware possesses the power to trigger a range of remote-control abilities, for example, keylogging, webcam access, taking control of the entire system to exfiltrate data, as well as screen capture.
• XMRig– it is a cryptocurrency miner that mines Monero from the system. Also, the malware is programmed to stop the mining process whenever it detects a high resource usage, for example, when the user is gaming, to avoid getting caught.
• 3Proxy– it can make infected systems turn into proxy servers through the usage of port 3306. It then corrupts legitimate processes to ensure cyber attackers can route malicious traffic.
• PureCrypter– it is an advanced malware that installs harmful additional payloads into the system to make sure all the latest threats are present in the system.
• AntiAV– this malware attacks the security software to modify its configuration system so that software cannot operate in the right manner. This ensures the targeted system always remains infected and enables other components to operate it easily.

Moreover, the ‘Updater’ module of the malware ensures that it can re-introduce itself into the system even after the user identifies and removes by activating itself with system launch.

Users must always, therefore, be cautious of downloading any files from untrustworthy and dubious sources. It is a safety precaution that needs to be maintained to prevent malware from attacking their system.

Cybercriminals have also run similar campaigns, such as STOP ransomware, a powerful ransomware program that harassed many users.

These files are not signed digitally, and users also show negligence when running them, often avoiding antivirus warnings. As a result, it leads to their systems getting infected with malicious malware.