Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)

May 30, 2024, 7:31 a.m.

Description

The report analyzes a campaign where threat actors distribute various malware strains like RATs, coinminers, and loaders disguised as cracked versions of popular software. South Korean systems are heavily targeted, with malware persisting via scheduled tasks and evading security products. Detailed technical analysis covers the attack flow, malware functionality, evasion tactics, and infrastructure used in the campaign.

Date

  • Created: May 30, 2024, 7:10 a.m.
  • Published: May 30, 2024, 7:10 a.m.
  • Modified: May 30, 2024, 7:31 a.m.

Indicators

  • dc1d5aefdad703bcc127f2f1eda4f4b11a98dbdde5290b081e1ec571035130ee
  • 8d08c6e09e94608170e93259d02d1bf7102b0768bbd0507c66c276836e0262a2
  • 5e51e62c21052b2453d01a339f9e5acd499b1d8bac6d62d44b54aa7313882b69
  • 5de473a10f6135de47080270e218e12a1ea276f15483ffcfe55da55019417e99
  • 507e49380dac7669eb09aabbcb9f3360bebf5cf42c6c89076a6eda7d32384a50
  • 312bdf1b97977a73f7f3ef48de2842beb505a18fac689a8fee473d94b42e5642
  • 1fc77b5aeb891d6fd9803fda5d20abc2f49835ae2daacf9f572559cd3941cbf5
  • f417007224bc2b16cc208eb26c1543340529a00ac8c919582eccd7d60a235243
  • f8793917d4d58470b6f9bb1714f4f3fba2c1fc188e97f416ab91ef6edcf07794
  • 316103a71d0ca556f00ff23f4ba996d2564dceccb88a2217fe1cc742123001d3
  • minecraftrpgserver.com

Attack Patterns

  • 3Proxy
  • AntiAV
  • OrcusRAT
  • PureCrypter
  • XMRig
  • T1038
  • T1064
  • T1497
  • T1005
  • T1489
  • T1547
  • T1518
  • T1057
  • T1105
  • T1543
  • T1134
  • T1027
  • T1053
  • T1562
  • T1059