Threat actors have been discovered to be using cracked versions of Microsoft Office to distribute a dangerous malware cocktail through illegal torrents.
Detected by the AhnLab Security Intelligence Center (ASEC), this malware campaign bundles together a collection of powerful malware strains – such as malware downloaders, cryptocurrency miners, and remote access trojans – to unleash a devastating attack. The malware is disguised as a cracked Microsoft Office installer, which would usually allow users to illegally download paid applications for free. However, those downloading this ‘cracked’ software are getting much more than they bargained for.
The Dangers of Malicious Torrents
Torrent sites, the use of which is generally illegal, have a long history of containing malware due to the unregulated nature of these sites. However, the promise of expensive software for nothing more than a few clicks is highly tempting to many internet users. Therefore, risks are taken and, occasionally, the consequences can be severe.
In this most recent example, torrents for Microsoft Office – as well as torrents for Windows and the Hangul word processor – are using professionally crafted interfaces to pass themselves off as legitimate software cracks. But despite the numerous options available, to apparently assist the user, these cracks have a nasty sting in their tail. Once the installer has been executed, a background process launches a hidden piece of malware which communicates with either a Mastodon or Telegram channel to download further malware.
This malware is downloaded from a URL linked to either GitHub and Google Drive, two platforms which are both legitimate and unlikely to ring any alarm bells. Unfortunately, there’s plenty to be alarmed about. A series of dangerous malware types are downloaded to the user’s computer, and these include Orcus Rat, 3Proxy, XMRig, and PureCrypter. These all combine to harvest data, convert PCs into proxy servers, download further malware, and use PC resources to mine cryptocurrency.
All of these malware strains run in the background, but even if they’re detected, removing them has little impact. This is because an ‘updater’ component of the malware is registered in the Windows Task Scheduler and, if the malware strains have been removed, they are re-downloaded on the next system reboot. This makes it a persistent threat, and one which is difficult to fully remove from your system.
Shield Yourself: Avoiding Harmful Torrents
Clearly, it’s crucial you need to protect your business from malicious torrents, but how do you do this? Well, it’s relatively simple if you implement the following strategies:
- Strict Download Policies: your IT infrastructure is delicate and needs to be protected by a strict download policy. All torrent sites, and associated torrent software, should be completely restricted within your business. Therefore, block all access to torrent sites, and put restrictions in place as to who can install applications within your business.
- Robust Security Software: many antivirus suites can detect malicious components within downloads before they’re downloaded. Accordingly, it makes sense to have strong antivirus software in place – if a download is flagged as suspicious, you can cancel it before the download launches. Additionally, an advanced firewall can detect and block any suspicious traffic in/out of your network related to torrent use.
- Employee Education: as ever, your employees are strongest form of defense, so make sure that regular training sessions are conducted to highlight the dangers of torrents. These sessions can also be expanded to cover the telltale signs of malicious websites and phishing/social engineering attacks.
For more ways to secure and optimize your business technology, contact your local IT professionals.