Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack

May 10, 2024, 2:25 p.m.

Tags
obfuscation
rat
xmrig
persistence
2024-05-05
2024-05-06
2024-05-07
2024-05-08
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-09
2024-05-10
External References
Description

The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), proxies, and anti-antivirus components. These are installed persistently through scheduled tasks and utilise encoded PowerShell commands for updates. The primary malware families identified include Orcus RAT for system control, XMRig cryptominer, 3Proxy for creating a proxy network, and components to evade security products.

Date

Published: May 10, 2024, 1:45 p.m.

Created: May 10, 2024, 1:45 p.m.

Modified: May 10, 2024, 2:25 p.m.

Indicators

f417007224bc2b16cc208eb26c1543340529a00ac8c919582eccd7d60a235243

f8793917d4d58470b6f9bb1714f4f3fba2c1fc188e97f416ab91ef6edcf07794

316103a71d0ca556f00ff23f4ba996d2564dceccb88a2217fe1cc742123001d3

https://gist.github.com/thamanarya/6510d9e6b96adfea6b9422a3fd22ef82/raw/Power

https://drive.usercontent.google.com/download?id=1SFoSCa4PhCsR7ACj8HUIfrU7L1i8YwiR&export=download

https://drive.usercontent.google.com/download?id=1kFPqJkzWKIIQzC3b0b6nunctXKHPeJNi&export=download

https://t.me/IXvMGsiyPuHoPSSiD

https://mastodon.social/@dRidulEDhRQYNREkN

http://minecraftrpgserver.com:27037

http://minecraftrpgserver.com:80

https://t.me/dRidulEDhRQYNREkN

http://minecraftrpgserver.com:27036

Download all indicators here!

Attack Patterns

OrcusRAT

PureCrypter

XMRig

T1593.001

T1593.002

T1562.004

T1564.003

T1564.001

T1059.001

T1562.001

T1489

T1105