Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack

May 10, 2024, 2:25 p.m.

Description

The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), proxies, and anti-antivirus components. These are installed persistently through scheduled tasks and utilise encoded PowerShell commands for updates. The primary malware families identified include Orcus RAT for system control, XMRig cryptominer, 3Proxy for creating a proxy network, and components to evade security products.

Date

  • Created: May 10, 2024, 1:45 p.m.
  • Published: May 10, 2024, 1:45 p.m.
  • Modified: May 10, 2024, 2:25 p.m.

Indicators

  • f417007224bc2b16cc208eb26c1543340529a00ac8c919582eccd7d60a235243
  • f8793917d4d58470b6f9bb1714f4f3fba2c1fc188e97f416ab91ef6edcf07794
  • 316103a71d0ca556f00ff23f4ba996d2564dceccb88a2217fe1cc742123001d3
  • https://gist.github.com/thamanarya/6510d9e6b96adfea6b9422a3fd22ef82/raw/Power
  • https://drive.usercontent.google.com/download?id=1SFoSCa4PhCsR7ACj8HUIfrU7L1i8YwiR&export=download
  • https://drive.usercontent.google.com/download?id=1kFPqJkzWKIIQzC3b0b6nunctXKHPeJNi&export=download
  • https://t.me/IXvMGsiyPuHoPSSiD
  • https://mastodon.social/@dRidulEDhRQYNREkN
  • http://minecraftrpgserver.com:27037
  • http://minecraftrpgserver.com:80
  • https://t.me/dRidulEDhRQYNREkN
  • http://minecraftrpgserver.com:27036

Attack Patterns

  • OrcusRAT
  • PureCrypter
  • XMRig
  • T1593.001
  • T1593.002
  • T1562.004
  • T1564.003
  • T1564.001
  • T1059.001
  • T1562.001
  • T1489
  • T1105