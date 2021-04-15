Pirated copies of Microsoft Office are available to anyone who does a simple search on the Internet. The same as those of Adobe Photoshop, Windows or other popular software. Most of these copies are pirated using the typical ‘cracks’ and not all of them are harmless. An investigation by Bitdefender has revealed how some of them act like powerful malware.

Cracks are small, easy-to-use applications that are widely available on the Internet and have existed since the advent of commercial software. Its installation allows users to remove or deactivate software protections and to circumvent the licenses in order to be able to use it for free. “This activity, in addition to legal implications for the use of software without the authorization of the owner, also presents serious security risks”, they explain from Bitdefender.

It should be noted that the use of these files that pirate commercial software is illegal and is prosecuted by copyright regulations. Of course, some large providers such as Microsoft have adopted a fairly pragmatic stance for years and these cracks are “allowed” at the user level as a lesser evil. They simply prefer to keep users (even if they are pirates) that they move to Linux, Chrome OS or macOS. Better that they use pirated Office than existing legal and free alternatives. This is the only way to understand its availability and ease of use, but be careful with security.

Pirated copies of Microsoft Office and others

The study by the cybersecurity specialist has detected that during the last three years they have been stealing data and cryptocurrencies from Monero wallets by installing powerful malware through the cracks of various applications, including pirated copies of Microsoft Office and Adobe Photoshop CC.

The origin lies in the discovery of a series of attacks that take advantage of the installation of these files in office automation and image editing tools to install a backdoor malware that manages to compromise PCs, stealing cryptocurrency wallets, and formerly leaking data through the TOR network. More in detail the following:

A backdoor malware is installed through which the cybercriminal gains full control of the device, which is why they can steal passwords, local files, PINs or any other credentials. It is possible to steal Monero wallets. If the attacker identifies a Monero wallet stored on the device, they will be able to steal it, along with all its cryptocurrencies. Firefox browser profiles can be hacked, allowing access to stored login passwords, browsing history, bookmarks, and session cookies. This malicious campaign has been active since the second half of 2018.

Its operation is typical of a malware. Once executed, the crack drops an instance of ncat.exe (a legitimate tool for sending raw data over the network), as well as a TOR proxy. In addition, a batch file is also placed on disk that contains the command line for the Ncat component and that traverses ports 8000 to 9000 over an .onion domain.

These tools work together to create a back door that communicates with the command and control center through TOR. The crack creates persistence mechanisms for the TOR proxy file and the Ncat binary on the machine with a service and a scheduled task that runs every 45 minutes, respectively. Research carried out by Bitdefender reveals that, in all likelihood, requests are not sent to victims automatically, but rather the back door is used interactively by a human operator.

In summary. Cybercriminals achieve total control of the personal computers where they manage to install these cracks, supposedly in charge of pirating commercial software, but that arrive with a ‘gift’ included. Although subscription software services that require active Internet connections have limited the use of Warez there are still millions of machines on which they are installed. Caution with them if you use them. Or better yet, if you can’t afford commercial software instead of using pirated copies of Microsoft Office look for free alternatives, that there are, very good and for all fields of use.