Cybercriminals are distributing malware through cracked versions of Microsoft Office, enticing users on torrent sites. This malware blend includes remote access trojans, cryptocurrency miners, downloaders, proxy tools, and anti-AV programs. Identified by AhnLab Security Intelligence Center, the campaign targets those downloading pirated software, offering fake Microsoft Office installers with sophisticated interfaces. These installers conceal malicious activities, leveraging legitimate platforms like Google Drive and GitHub to host payloads that introduce various malware strains upon execution, persisting through system reboots via Task Scheduler.
The malware arsenal installed through these cracked software includes Orcus RAT for remote control, XMRig for cryptocurrency mining, 3Proxy for creating proxy servers, PureCrypter for downloading additional payloads, and AntiAV to disable security software. Even if users remove these malware components, the persistent ‘Updater’ module reinstalls them upon system launch, maintaining the infection. This underscores the importance of caution when downloading files from untrustworthy sources, as pirated software often serves as a vector for malware distribution.
Similar campaigns have been employed to disseminate STOP ransomware, indicating a broader trend of using cracked software to deploy malicious payloads. As these files lack digital signatures and users may disregard antivirus warnings, they pose significant risks to system security. Users are advised to refrain from downloading pirated or cracked software to mitigate the threat of malware infection and protect their systems from compromise.
