AhnLab SEcurity intelligence Center (ASEC) has previously introduced the dangers of malware disguised as crack programs through a post titled “Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)”. [1]
Malware strains disguised as crack programs are primarily distributed through file-sharing platforms, blogs, and torrents, leading to the infection of multiple systems. These infected systems are continually managed by threat actors through periodic updates.
In this case, it was confirmed that the threat actor installed different malware based on the presence of V3. They maintained persistence by registering the malware in the Task Scheduler and updating it regularly. This persistence management technique is ineffective in environments where V3, which cleans the Task Scheduler, is installed. However, in environments where the Task Scheduler is not cleaned, even if the malware present in the system is removed, additional malware infections can occur.
As such, threat actors continue to obstruct the installation of V3. The example below shows malware disguised as a crack program that ultimately installs XMRig, specifying the V3 Lite installation process with the “kill-targets” option. With this, it is evident that the threat actor, rather than bypassing the security product directly, chose to prevent the installation of V3 Lite in environments where it is not already installed to maintain persistence.
| “kill-targets”: “V3Lite_Setup.exe,V3Lite_Setup (1).exe,V3Lite_Setup (2).exe,openssl.exe,natsvc.exe,smmgr.exe,v_service.exe,v_member.exe,akdanhall-installer-build-433.msi,akdanhall-installer-build-433 (1).msi,akdanhall-installer-build-433 (2).msi” |
(Original filename: V3Lite_Setup.exe, Test modified filename: V3Lite_Setup_Temp.exe)
However, since XMRig’s “kill-targets” option operates based on the process name, it is possible to install V3 on an infected system that does not have V3 by changing the installer’s file name (any name other than “V3Lite_Setup.exe, V3Lite_Setup (1).exe, and V3Lite_Setup (2).exe” is acceptable). Figure 1 shows the installation of V3 in a situation where a CoinMiner is present by changing the installer’s file name. In the same infected environment, if the installation is attempted with the original file name “V3Lite_Setup.exe”, the process immediately terminates, preventing the user from seeing any UI or installation results. Therefore, if there is no response when attempting to install V3 Lite, malware infection should be suspected, and V3 Lite must be installed by changing the file name.
It is crucial for users to install V3 to remove malware and clean the Task Scheduler to prevent persistent infections. Additionally, regularly updating the product to the latest version is effective in preemptively blocking malware infections. Since many instances of malware disguised as crack programs aim to remove anti-malware software, users should exercise caution when running programs downloaded from sources such as file-sharing sites or blogs.
Currently, V3 diagnoses the distribution process of malware disguised as crack programs from various perspectives as follows. Recent findings indicate that they are still being distributed disguised as Hancom installation files and KMS Auto cracks, requiring users to exercise particular caution.
File Detection
Dropper/Win.Agent.R637637 (2024.03.26.01)
Downloader/Win.Agent.C5436284 (2023.06.03.00)
PUP/Win.NirCmd.C5649266 (2024.07.12.02)
Behavior Detection
Execution/MDP.NirCMD.M4883
Execution/MDP.NirCMD.M4621
IoCs
MD5s
– ba269f032410c284b0b369b045a9fb9b
– 77a5bd4e03fc9a653b4e8c33996d19a0
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Warning Against the Distribution of Malware Disguised as Software Cracks (Disrupts V3 Lite Installation) appeared first on ASEC BLOG.