Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)

May 30, 2024, 7:31 a.m.

Description

The report analyzes a campaign where threat actors distribute various malware strains like RATs, coinminers, and loaders disguised as cracked versions of popular software. South Korean systems are heavily targeted, with malware persisting via scheduled tasks and evading security products. Detailed technical analysis covers the attack flow, malware functionality, evasion tactics, and infrastructure used in the campaign.

External References

https://asec.ahnlab.com/en/66017/
https://otx.alienvault.com/pulse/6658266e8b7d9bbbebf72a5a
Tags
loader
evasion
xmrig
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-30

Date

  • Created: May 30, 2024, 7:10 a.m.
  • Published: May 30, 2024, 7:10 a.m.
  • Modified: May 30, 2024, 7:31 a.m.

Indicators

  • dc1d5aefdad703bcc127f2f1eda4f4b11a98dbdde5290b081e1ec571035130ee
  • 8d08c6e09e94608170e93259d02d1bf7102b0768bbd0507c66c276836e0262a2
  • 5e51e62c21052b2453d01a339f9e5acd499b1d8bac6d62d44b54aa7313882b69
  • 5de473a10f6135de47080270e218e12a1ea276f15483ffcfe55da55019417e99
  • 507e49380dac7669eb09aabbcb9f3360bebf5cf42c6c89076a6eda7d32384a50
  • 312bdf1b97977a73f7f3ef48de2842beb505a18fac689a8fee473d94b42e5642
  • 1fc77b5aeb891d6fd9803fda5d20abc2f49835ae2daacf9f572559cd3941cbf5
  • f417007224bc2b16cc208eb26c1543340529a00ac8c919582eccd7d60a235243
  • f8793917d4d58470b6f9bb1714f4f3fba2c1fc188e97f416ab91ef6edcf07794
  • 316103a71d0ca556f00ff23f4ba996d2564dceccb88a2217fe1cc742123001d3
  • minecraftrpgserver.com
Download all indicators here!

Attack Patterns

  • 3Proxy
  • AntiAV
  • OrcusRAT
  • PureCrypter
  • XMRig
  • T1038
  • T1064
  • T1497
  • T1005
  • T1489
  • T1547
  • T1518
  • T1057
  • T1105
  • T1543
  • T1134
  • T1027
  • T1053
  • T1562
  • T1059