Back

Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)

May 30, 2024, 7:31 a.m.

Tags

loader
evasion
xmrig
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-30

External References

https://asec.ahnlab.com/

https://otx.alienvault.com/

Description

The report analyzes a campaign where threat actors distribute various malware strains like RATs, coinminers, and loaders disguised as cracked versions of popular software. South Korean systems are heavily targeted, with malware persisting via scheduled tasks and evading security products. Detailed technical analysis covers the attack flow, malware functionality, evasion tactics, and infrastructure used in the campaign.

Date

Published Created Modified
May 30, 2024, 7:10 a.m. May 30, 2024, 7:10 a.m. May 30, 2024, 7:31 a.m.

Indicators

dc1d5aefdad703bcc127f2f1eda4f4b11a98dbdde5290b081e1ec571035130ee

8d08c6e09e94608170e93259d02d1bf7102b0768bbd0507c66c276836e0262a2

5e51e62c21052b2453d01a339f9e5acd499b1d8bac6d62d44b54aa7313882b69

5de473a10f6135de47080270e218e12a1ea276f15483ffcfe55da55019417e99

507e49380dac7669eb09aabbcb9f3360bebf5cf42c6c89076a6eda7d32384a50

312bdf1b97977a73f7f3ef48de2842beb505a18fac689a8fee473d94b42e5642

1fc77b5aeb891d6fd9803fda5d20abc2f49835ae2daacf9f572559cd3941cbf5

f417007224bc2b16cc208eb26c1543340529a00ac8c919582eccd7d60a235243

f8793917d4d58470b6f9bb1714f4f3fba2c1fc188e97f416ab91ef6edcf07794

316103a71d0ca556f00ff23f4ba996d2564dceccb88a2217fe1cc742123001d3

Attack Patterns

3Proxy

AntiAV

OrcusRAT

PureCrypter

XMRig

T1038

T1064

T1497

T1005

T1489

T1547

T1518

T1057

T1105

T1543

T1134

T1027

T1053

T1562

T1059