Malware disguised as crack programs spreads via file-sharing platforms, blogs, and torrents, installing payloads such as XMRig and other tools while threat actors maintain persistence through the Task Scheduler. Attackers also manipulate installer filenames and use targeted tactics to prevent V3 Lite installation in certain environments, urging vigilance and prompting users to install V3 to remove infections.
#XMRig #OrcusRAT #V3Lite #Hancom #KMSAutoCracks #NirCmd #AhnLab
#XMRig #OrcusRAT #V3Lite #Hancom #KMSAutoCracks #NirCmd #AhnLab
Keypoints
- Malware is distributed through cracked software on file-sharing sites, blogs, and torrents, leading to infections across multiple systems.
- Threat actors use the presence of V3 to decide which malware to install and rely on Task Scheduler for persistence.
- Persistence via Task Scheduler can be defeated if the Task Scheduler is cleaned; otherwise, infections can recur even after cleanup.
- Attackers obstruct V3 Lite installation by altering installer filenames and using a “kill-targets” approach to avoid UI and maintain persistence.
- The campaign includes a CoinMiner (XMRig) as part of the payload and shows specific filenames and binaries used in the installation.
- Detected file indicators include specific dropper/downloader families and MD5 hashes for IOC cataloging.
- Users are advised to install V3 to remove malware and clean Task Scheduler, and to avoid cracked software from untrusted sources.
MITRE Techniques
- [T1053.005] Scheduled Task – Used to maintain persistence by registering the malware in the Task Scheduler and updating it regularly. “They maintained persistence by registering the malware in the Task Scheduler and updating it regularly.”
- [T1036] Masquerading – The attacker installs V3 by changing the installer’s file name to bypass detection and UI. “Figure 1 shows the installation of V3 in a situation where a CoinMiner is present by changing the installer’s file name. In the same infected environment, if the installation is attempted with the original file name ‘V3Lite_Setup.exe’, the process immediately terminates”
- [T1496] Resource Hijacking – The malware ultimately installs XMRig for cryptocurrency mining. “that ultimately installs XMRig”
- [T1562.001] Impair Defenses – The campaign aligns with maintaining stealth and removing defenses; many crack-distributed malwares aim to remove anti-malware software. “many instances of malware disguised as crack programs aim to remove anti-malware software”
Indicators of Compromise
- [File Name] V3Lite_Setup.exe, V3Lite_Setup (1).exe – used in the installer sequence for V3 Lite; context: filename-based attempts to install the malware.
- [File Name] V3Lite_Setup (2).exe – another variant used in the installation attempts; context: filename-based variation to bypass detection.
- [File Name] openssl.exe, natsvc.exe, smmgr.exe, v_service.exe, v_member.exe – files listed as part of the installation payload; context: named components in the malware bundle.
- [File Name] akdanhall-installer-build-433.msi, akdanhall-installer-build-433 (1).msi, akdanhall-installer-build-433 (2).msi – installer components used in the infection chain; context: MSI installers included in the package.
- [MD5] ba269f032410c284b0b369b045a9fb9b, 77a5bd4e03fc9a653b4e8c33996d19a0 – known MD5 checksums associated with the threat; context: detection fingerprints.
- [File Detection] Dropper/Win.Agent.R637637 (2024.03.26.01), Downloader/Win.Agent.C5436284 (2023.06.03.00), PUP/Win.NirCmd.C5649266 (2024.07.12.02) – behavior/detection names used to classify components; context: named indicators.
Read more: https://asec.ahnlab.com/en/68011/