Overview

AhnLab SEcurity intelligence Center (ASEC) has discussed cases of Remote Access Trojan (RAT) and bitcoin miner attacks targeting Korean users in our ASEC blog post, “Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack[1].” Until recently, the attacker has been creating and distributing malware, and more than 20,000 systems have been infected based on our infrastructure. 

Malware is generally distributed disguised as cracked versions of legitimate programs, such as Microsoft Office and Windows license verification tools and the Hangul word processor, infecting many Korean systems. In addition, the attacker updates malware by registering the task scheduler in infected systems. The registered task scheduler executes a PowerShell command to install the malicious code. If the task scheduler is not cured, new malicious code continues to be installed in the system. 

As the current AhnLab V3 products can cure the task scheduler installed by malicious code, the problem of malicious code being installed again does not arise even if the user encounters malicious code disguised as a cracked program. However, in environments that do not use V3, if the user removes the malicious code, the system remains vulnerable to the installation of new malicious code because the task scheduler was not cured. One type of malicious code installed serves as an update function. So, even if the existing address is blocked because PowerShell commands continue to change, the occurrence of infection continues.

Malware Analysis

1. Attack Flow

The attack flow is similar to previous cases. In recent distribution cases, malicious code was disguised as a Microsoft Office crack and distributed through webhard (cloud) or torrent sites. The difference from past cases is the addition of a process to obtain download addresses and the platform where malicious code is uploaded. Also, new malicious code has been confirmed.

Figure 1. Attack Flow

[1] https://asec.ahnlab.com/en/45462/