Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack
May 10, 2024, 2:25 p.m.
Description
The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), proxies, and anti-antivirus components. These are installed persistently through scheduled tasks and utilise encoded PowerShell commands for updates. The primary malware families identified include Orcus RAT for system control, XMRig cryptominer, 3Proxy for creating a proxy network, and components to evade security products.
Tags
Date
- Created: May 10, 2024, 1:45 p.m.
- Published: May 10, 2024, 1:45 p.m.
- Modified: May 10, 2024, 2:25 p.m.
Indicators
- f417007224bc2b16cc208eb26c1543340529a00ac8c919582eccd7d60a235243
- f8793917d4d58470b6f9bb1714f4f3fba2c1fc188e97f416ab91ef6edcf07794
- 316103a71d0ca556f00ff23f4ba996d2564dceccb88a2217fe1cc742123001d3
- https://gist.github.com/thamanarya/6510d9e6b96adfea6b9422a3fd22ef82/raw/Power
- https://drive.usercontent.google.com/download?id=1SFoSCa4PhCsR7ACj8HUIfrU7L1i8YwiR&export=download
- https://drive.usercontent.google.com/download?id=1kFPqJkzWKIIQzC3b0b6nunctXKHPeJNi&export=download
- https://t.me/IXvMGsiyPuHoPSSiD
- https://mastodon.social/@dRidulEDhRQYNREkN
- http://minecraftrpgserver.com:27037
- http://minecraftrpgserver.com:80
- https://t.me/dRidulEDhRQYNREkN
- http://minecraftrpgserver.com:27036
Attack Patterns
- OrcusRAT
- PureCrypter
- XMRig
- T1593.001
- T1593.002
- T1562.004
- T1564.003
- T1564.001
- T1059.001
- T1562.001
- T1489
- T1105