Through a post titled “Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack” [1], AhnLab SEcurity intelligence Center (ASEC) previously disclosed an attack case in which a threat actor distributed RAT and CoinMiner to Korean users. Until recently, the attacker created and distributed various malware strains, such as downloaders, CoinMiner, RAT, Proxy, and AntiAV.
Numerous systems in South Korea tend to become infected by malware strains that are distributed under the guise of cracked versions of legitimate programs, such as Hangul Word Processor or activation tools for Windows or Microsoft Office. Threat actors have been upgrading their malware by adding another layer to this process, which is registering to the Task Scheduler in the infected system. After task registration, the Task Scheduler executes PowerShell commands to install the malware. If the Task Scheduler is not remediated, new malware strains are consistently installed on the system.
Because V3 remediates the tasks installed by the malware, users who have installed V3 do not experience issues with repeated malware installations even if they install malware disguised as cracked software. However, systems without V3 may suffer from continuous malware installations, as they may be unable to remediate the Task Scheduler despite removing the installed malware. The installed malware stains included a type that runs updates, indicating that the infection persists even after blocking the previous URL because the PowerShell commands registered to the Task Scheduler change constantly. This issue has led to many infected Korean systems with no remediation, and the attacker is already abusing their weakness to utilize the systems as proxies or mine cryptocurrency. Because the control of these systems has been stolen, their users’ information is also prone to theft.
1. Attack Flow
The attack flow is similar to previous cases. A recently detected distribution case involved malware disguised as a cracked version of MS Office, which was propagated via file-sharing services and torrents. The difference from previous samples is that it added a process for acquiring the download URL and the platform to upload the malware.
2. Malware in Disguise
Because the malware in disguise generates and displays the cracked software along with its installation, users may consider it legitimate cracked software.
The malware disguised and distributed as cracked software was developed using .NET, and recently, it was found to be obfuscated. It followed the following format before the obfuscation and obtained the download URL by accessing Telegram after its initial execution.
The recently distributed malware had two Telegram URLs and one Mastodon URL. Each profile included a string used in the Google Drive URL or the GitHub URL. The threat actor posted the phrase “I prefer dangerous freedom over peaceful slavery.” and means of contact on their channel.
The data downloaded from GitHub and Google Drive are strings encrypted in Base64, as shown in the following. Upon decryption, these strings prove to be PowerShell commands, which are ultimately responsible for installing various malware strains.
3. Malware Analysis
3.1. Updater
Notable characteristics of the malware include pasting a PowerShell program to “C:ProgramDataKB5026372.exe” for use and downloading a compressed file uploaded to GitHub and Google Drive to decompress it with a 7zip program installed in “C:ProgramDataGoogle7z.exe”. These methods are identical to the tactics introduced in the previous blog post; the password to the locked compressed file has always been “x” as well.
Updater malware called “software_reporter_tool.exe” is responsible for downloading and maintaining the persistence of the malware. The Updater also registers to the Task Scheduler to enable itself to operate persistently even after a system reboot. The registered PowerShell updates the Updater malware again and installs additional malware.
3.2. Installed Malware
In previous cases, the attacker selected and installed either Orcus RAT or XMRig, depending on whether V3 was installed in the target system or not. Among the six malware types installed additionally, Updater, XMRig, and Orcus RAT are similar to the cases in the past.
Not only does Orcus RAT support basic remote control features, such as system information collection, command execution, and tasks for files, registries, and processes, but it also provides information exfiltration functions using keylogging and webcams. Moreover, the threat actor can control and exfiltrate information from the infected system because it supports screen control through HVNC and RDP.
The XMRig deployed for the attack also supports options akin to those from previous cases. Using the “stealth-targets” option, which stops mining when a designated process is running, the threat actor set the mining process to stop when the system executed programs that occupied a considerable amount of system resources, such as games, hardware monitoring utilities, and programs for graphics processing. Meanwhile, the “kill-targets” option, which shuts down ongoing processes with designated names, was used to target grid programs that consume system resources or installers of various security programs.
| { “algo”: “rx/0”, “pool”: “minecraftrpgserver[.]com”, “port”: 27037, “wallet”: “ZEPHs9eCMMza6HRoytdTWnUBP28xnRMhUK7z6smekMurCVVS57GPfqK5uewE7cgiqn4jBoJbi9teC9e6fraJaQoL2UhTMXNB1vs”, “password”: “”, “nicehash”: false, “ssltls”: true, “max-cpu”: 20, “idle-wait”: 5, “idle-cpu”: 80, “stealth-targets”: “MSIAfterburner.exe,HWiNFO32.exe,HWiNFO64.exe,HWMonitor_x32.exe,HWMonitor_x64.exe,HWMonitorPro_x32.exe,HWMonitorPro_x64.exe,NZXT CAM.exe,speedfan.exe,Core Temp.exe,OpenHardwareMonitor.exe,OCCT.exe,FurMark.exe,TslGame.exe,TslGame_SE.exe,GTA5.exe,GTA6.exe,fifazf.exe,fifa4zf.exe,fifa5zf.exe,FIFA21.exe,FIFA22.exe,FIFA23.exe,FIFA24.exe,FIFA25.exe,League of Legends.exe,LOSTARK.exe,VALORANT.exe,Overwatch.exe,suddenattack.exe,javaw.exe,SC2.exe,SC2_x64.exe,DNF.exe,BlackDesert64.exe,BNSR.exe,ProjectLH.exe,Wow.exe,AfterFX.exe,AFCStudio2.exe,cod.exe,RobloxPlayerBeta.exe,RobloxPlayer.exe,KartDrift-Win64-Shipping.exe,Adobe Premiere Pro.exe,EternalReturn.exe,destiny2.exe,blender.exe,Photoshop.exe,acad.exe,Diablo IV.exe,Cyphers.exe,r5apex.exe,dota2.exe,GameOverlayUI.exe,EOSOverlayRenderer-Win64-Shipping.exe,EpicOnlineServicesUserHelper.exe,obs64.exe,Lineage2M.exe,Q7-Win64-Shipping.exe,rojectN-Win64-Shipping.exe,ProjectER-Win64-Shipping.exe,DW9.exe,XSplit.Core.exe,XSplitVCam.exe,fczf.exe”, “kill-targets”: “V3Lite_Setup.exe,V3Lite_Setup (1).exe,V3Lite_Setup (2).exe,openssl.exe,natsvc.exe,smmgr.exe,v_service.exe,v_member.exe,akdanhall-installer-build-433.msi,akdanhall-installer-build-433 (1).msi,akdanhall-installer-build-433 (2).msi”, “stealth-fullscreen”: false } |
3Proxy is an open-source tool equipped with a proxy server feature. The malware adds the 3306 port to the firewall rule and injects 3Proxy into the legitimate process. After injection, 3Proxy opens the 3306 port, enabling the threat actor to abuse the infected system as a proxy.
Other malicious files include PureCrypter, which downloads and executes additional payload from external sources, and AntiAV malware, which disrupts security products’ operations. The malware prevents a security program from operating properly by constantly modifying its configuration file inside the installation folder whenever the program is executed.
4. Conclusion
The distribution of malware disguised as cracked software is ongoing, targeting users in Korea. The threat actor spread malware strains that were made to seem like cracked versions of Windows, MS Office, and Hangul Word Processor, leading many Korean users to fall victim to the attack. Also, the attacker registered malware installation commands to the Task Scheduler to maintain persistence, leading to repeated installations of new malware in systems where users failed to remove the Task Scheduler.
The attacker has distributed new malware multiple times every week to bypass file detection, and this behavior has persisted until recently. Accordingly, the number of infected systems is rising as the registered Task Scheduler continues to install new malware regularly despite removing the previous malware.
Users must be wary when running executable files downloaded from file-sharing sites, and it is recommended to download products such as utility programs and games from their official websites. They must also update V3 to the latest version to prevent the malware infection introduced in this post. For already infected systems, repeated malware infections can be prevented by remediating the Task Scheduler after installing V3.
File Detection
– Downloader/JOB.Generic.S2560 (2024.02.02.02)
– Downloader/Win.Agent.C5590498 (2024.02.19.03)
– Downloader/Win.Agent.C5602420 (2024.03.20.00)
– Downloader/Win.Agent.C5609953 (2024.04.08.02)
– Downloader/Win.Agent.C5613148 (2024.04.16.00)
– Downloader/Win.Agent.C5619970 (2024.05.09.02)
– Backdoor/Win.Orcusrat.C5619968 (2024.05.09.02)
– Trojan/Win.AntiAV.C5619969 (2024.05.09.02)
– Dropper/Win.3Proxy.C5619967 (2024.05.09.02)
– Trojan/Win.3Proxy.C5619966 (2024.05.09.02)
– Downloader/Win.PureCrypter.C5619963 (2024.05.09.02)
– CoinMiner/Win.XMRig.C5616159 (2024.04.25.02)
– CoinMiner/Win.XMRig.C5613170 (2024.04.16.00
– Data/BIN.EncPe (2024.04.16.00)
Behavior Detection
– Infostealer/MDP.Behavior.M1965
– DevenseEvasion/MDP.AntiVM.M3090
– Malware/MDP.Behavior.M3108
– Behavior/MDP.Create.M4591
– Execution/MDP.Event.M4832
IoCs
MD5s
– 77a5bd4e03fc9a653b4e8c33996d19a0: Malware disguised as cracked software (oinstall.exe)
– 3a4d761de4fac0c2e47a5c84fca78c0f: Downloader (software_reporter_tool.exe)
– 5dd8cdd4e80185b60d43511987b254cd: Downloader (software_reporter_tool.exe)
– 6a648b7d0e4ae16f6beb170decd5b0b6: Downloader (software_reporter_tool.exe)
– 08299a45472f501644b4daa458336428: Downloader (software_reporter_tool.exe)
– 27623130a8e8b792fc99cbdcecee3177: 3Proxy – Dropper (dwm.exe)
– abdbfe7b8f4976935b87a0a0e67d1da0: 3Proxy (dwm.exe)
– 93899d3008af9df6b7d261445b3e8f59: Orcus RAT (dwm.exe)
– 151cd4702bc15421c24fd5930f119a48: PureCrypter (dwm.exe)
– d00feba624fa6fdcbad1b1219f3f2da7: AntiAV (dwm.exe)
– 1b5393ac3eceda9b16836039f7d04c5e: XMRig (InstallUtil.exe)
– c9cdc0c746fa9095bd87b455f8f9c3c8: XMRig – encoded
– f836a133490929ea0185d50e10bd11c0: XMRig – decoded
C&Cs
– minecraftrpgserver[.]com:80: PureCrypter
– minecraftrpgserver[.]com:27036: Orcus RAT
– minecraftrpgserver[.]com:27037: XMRig
Download URLs
– hxxps://t[.]me/dRidulEDhRQYNREkN: Malware disguised as cracked software
– hxxps://t[.]me/IXvMGsiyPuHoPSSiD: Malware disguised as cracked software
– hxxps://mastodon[.]social/@dRidulEDhRQYNREkN: Malware disguised as cracked software
– hxxps://drive.usercontent.google[.]com/download?id=1kFPqJkzWKIIQzC3b0b6nunctXKHPeJNi&export=download: PowerShell commands encoded in Base64
– hxxps://drive.usercontent.google[.]com/download?id=1SFoSCa4PhCsR7ACj8HUIfrU7L1i8YwiR&export=download: PowerShell commands encoded in Base64
– hxxps://gist.github[.]com/thamanarya/6510d9e6b96adfea6b9422a3fd22ef82/raw/Power: PowerShell commands encoded in Base64
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/66017/