AhnLab ASEC reports on malware distributed as cracked software in Korea, delivering Orcus RAT, XMRig, and other payloads to victims via cracked Windows and Hangul Word Processor software. The attack chain uses Task Scheduler persistence, PowerShell, and Base64-encoded commands downloaded through Telegram and Mastodon, enabling repeated infections even after initial removal. #OrcusRAT #XMRig #3Proxy #PureCrypter #AntiAV #HangulWordProcessor #MSOffice #Telegram #Mastodon #GoogleDrive #GitHub #Korea
Keypoints
- Malware is distributed under the guise of cracked software (Windows, Hangul Word Processor, MS Office) to Korean users via file-sharing services and torrents.
- Malware registers to the Task Scheduler, and the scheduled task runs PowerShell commands to install additional malware, enabling persistence.
- Updater and other components download through GitHub and Google Drive, with payloads encoded in Base64 and executed via PowerShell.
- The threat actor uses Telegram and Mastodon as channels to obtain download URLs and command data, including a stated victim-facing phrase.
- Installed malware families include Orcus RAT, XMRig, 3Proxy, PureCrypter, and AntiAV; 3Proxy enables proxying, and Orcus RAT provides remote control with exfiltration capabilities.
- Defense and remediation hinge on keeping V3 updated and remediating the Task Scheduler to prevent repeated infections.
MITRE Techniques
- [T1053.005] Scheduled Task β The malware registers to the Task Scheduler to maintain persistence; βregistering to the Task Scheduler in the infected system. After task registration, the Task Scheduler executes PowerShell commands to install the malware.β
- [T1059.001] PowerShell β PowerShell commands are used to install and update malware, including commands obtained via Base64-encoded strings.
- [T1027.001] Base64 Encoding β Data downloaded from GitHub and Google Drive are strings encrypted in Base64, which after decryption become PowerShell commands to install payloads.
- [T1053.005] Scheduled Task (Persistence) reiterated β Updater registers to the Task Scheduler to enable persistent operation after reboot.
- [T1105] Ingress Tool Transfer β The routine for obtaining the download URL by abusing Telegram/Mastodon to fetch payloads.
- [T1071.001] Web Protocols β Telegram and Mastodon URLs used to host/download payloads and commands.
- [T1021.001] Remote Services β Orcus RAT/XMRig can enable remote control features, including RDP.
- [T1562.004] Impair Defenses β AntiAV malware disrupts security products by modifying configuration files.
- [T1090] Proxy β 3Proxy opens the 3306 port and allows the infected system to be used as a proxy.
- [T1059.001] PowerShell (Secondary) β PowerShell updates and commands facilitate installation of additional malware (Updater, XMRig, Orcus RAT).
- [T1125] Video Capture β Orcus RAT supports webcam-based exfiltration as part of its data exfiltration features.
- [T1056.001] Keylogging β Orcus RAT provides keylogging for information exfiltration.
Indicators of Compromise
- [MD5] 77a5bd4e03fc9a653b4e8c33996d19a0, 3a4d761de4fac0c2e47a5c84fca78c0f and 4 more hashes β Malware disguised as cracked software (oinstall.exe) and downloader components.
- [MD5] INCOMPLETE_HASH_LIST β Additional hashes for downloader/these components (e.g., software_reporter_tool.exe, dwm.exe, InstallUtil.exe, etc.).
- [File Name] oinstall.exe, software_reporter_tool.exe, dwm.exe β Filenames tied to the downloader and dropper components.
- [Domain] minecraftrpgserver[.]com β Used by the malware for C2/mining traffic on multiple ports (80, 27037, 27036).
- [URL] t.me/dRidulEDhRQYNREkN, mastodon.social/@dRidulEDhRQYNREkN β Telegram/Mastodon download or command channels used by the actor.
- [URL] drive.usercontent.google[.]com/download?β¦export=download β Google Drive download links delivering PowerShell commands (Base64 encoded).
Read more: https://asec.ahnlab.com/en/66017/