Cybercriminals Distribute Various Malware Strains via Torrented Versions of MS Office and Windows

• Unknown actors are deploying updated malware through cracked versions of Microsoft Office and Windows downloaded from torrent websites.
• The attacker created and distributed a wide array of malware strains, including downloaders, remote access trojans (RATs), miners, proxies, and anti-AV tools.
• The attacker registers malware installation commands to the Task Scheduler for repeated installations of new malware on the system.

AhnLab Security Intelligence Center (ASEC) has identified an ongoing campaign in which attackers deploy persistent malware through what appear to be cracked versions of legitimate programs like Windows, MS Office, and Hangul Word Processor, a tool popular in Korea. Among the discovered installed malware are Orcus RAT, XMRig, 3Proxy, PureCrypter, CoinMiner, and Updater.

The Korean researchers say that threat actors have been upgrading their malware by registering to the Task Scheduler in the infected system, which executes PowerShell commands that install new malware repeatedly and change constantly. However, users who have installed V3 do not experience repeated malware installations in this case because V3 remediates the tasks installed by the malware. 

The infection persists because the installed malware runs updates. The attacker gains control of the systems they use as proxies or to mine cryptocurrency, which also exposes users’ sensitive information.

The report presents a recent malware distribution case via a cracked version of MS Office that added a process for acquiring the platform to upload the obfuscated .NET malware and the download URL by accessing Telegram. Some included a string used in the Google Drive URL or the GitHub URL, which downloaded strings encrypted in Base64 that were actually PowerShell commands.

Orcus RAT supports basic remote control features and can exfiltrate data via keylogging and webcams. 3Proxy is an open-source tool equipped with a proxy server feature that adds the 3306 port to the firewall rule and injects 3Proxy into the legitimate process, enabling the threat actor to abuse the infected system as a proxy. Other malicious files include PureCrypter, which downloads and executes additional payload from external sources, and AntiAV malware, which disrupts security products.

From the installed malware types, Updater, XMRig, and Orcus RAT are similar to past cases. The Orcus RAT and CoinMiner have been distributed to Korean users via a Hangul Word Processor crack before through file-sharing services and torrents. The risk of infecting a device when downloading pirated/cracked software is great because users usually ignore antivirus warnings.