Malware Campaign Using Fake MS Office Crack Tool Spreads RAT, XMRig Miner, and 3Proxy Proxy

A recent ASEC blog post titled “Using MS Office Crack Versions as Bait to Distribute Malware” reported a malicious program disguised as the well‑known Office 2013‑2024 C2R Install tool, which spreads remote‑access trojans, a cryptocurrency miner, and malicious downloaders.

The malware, developed in .NET, initially contacts Telegram or Mastodon to obtain a download URL, then retrieves Base64‑encoded data from Google Drive or GitHub, decrypts it, and executes PowerShell commands to install various payloads.

The component named software_reporter_tool.exe ensures persistence by registering itself in the Task Scheduler, allowing it to survive system reboots, and registers PowerShell scripts that further update the malware and install additional malicious software.

Embedded payloads include Orcus RAT, XMRig, and 3Proxy. Orcus RAT provides remote control, system information collection, command execution, file/registry/process manipulation, keylogging, webcam capture, and supports HVNC and RDP screen control.

XMRig is a cryptocurrency miner that pauses when system resources are heavily used (e.g., during gaming) to avoid detection.

3Proxy is an open‑source proxy tool; the malware adds port 3306 to firewall rules, injects 3Proxy into a legitimate process, and opens the port so attackers can abuse the infected machine as a proxy.

The primary victims are Korean users; the malware repeatedly modifies configuration files in the installation folder to hinder security software operation.

The attackers posted a manifesto on social media stating they prefer “dangerous freedom over peaceful slavery.”

The article advises users to be cautious, verify software sources, and notes that the original Office 2013‑2024 C2R Install tool was previously shared from a trusted source.