ESET: Malicious torrents attacks on viewers

ESET researchers have discovered and analyzed an ongoing malicious campaign, which distributes a backdoor via torrents, using Korean television content (movies, shows) and often games as bait.

The backdoor has spread through South Korean torrent sites and ς. Το malware επιτρέπει στον εισβολέα να συνδέσει τον παραβιασμένο υπολογιστή σε ένα botnet και να τον ελέγχει από απόσταση.


This malware is a modified version of GoBot2, a publicly available backdoor. The source code modifications mainly concern escape techniques specifically for use in South Korea. As the campaign clearly targets that country, ESET has named GoBotKR the specific version of Win64 / GoBot2. According to ESET telemetry, GoBotKR is active by 2018. South Korea is the country with the most attacks (80% of detections), followed by China (10%) and Taiwan (5%).

"The cybercriminals behind this campaign are trying to trick users into running the malware by placing traps in torrents with malicious files that have misleading names , και εικονίδια”, λέει η ερευνήτρια της ESET, Zuzana Hromcova, που ανέλυσε το κακόβουλο λογισμικό.

No malicious action will occur directly by opening the MP4 file. The trap here is that the MP4 file is often hidden in a different directory, and users may first encounter the malicious file that mimics it.

According to ESET, the malware is not particularly technically complex. However, the cybercriminals behind GoBotKR are building a network of bots, which can then be used to various types of DDoS attacks. Therefore, after its execution, GoBotKR first collects system information about the compromised computer, such as network settings, OS version information, CPU and GPU.

Specifically, it collects a list of installed antivirus products. This information is sent to a C&C server, which helps intruders determine which bots can be used in the respective attacks. "All the C&C servers found through the malware samples analyzed were found to be hosted in South Korea and registered by the same person," Hromcova explained in her research.

The bot has many features, such as allowing abuse of the compromised computer, or enabling botnet operators to further control or extend the botnet. It also allows to avoid detection and concealment by the user.

Among other supported commands are the ability to direct a DDoS attack to specific victims, copy the malware to attached removable media or public cloud storage service folders (Dropbox, OneDrive, Drive), καθώς και η εμφύτευση torrents με το κακόβουλο αρχείο ως μέσο για την περαιτέρω επέκταση του botnet.

In terms of research, GoBotKR is particularly interested in its escape techniques, which have been adapted to target South Korea. Specifically, malware scans processes running on the compromised system to detect specific antivirus products, including the products of a South Korean security solution company.

If any of the products are found, they are terminated. Another escape technique detects system-running analytics tools, again targeting the same South Korean security firm. In the third avoidance technique, the intruders misused legitimate South Korean electronic platforms to determine the victim's IP address.

"Overall, the modifications show us that the attackers are adapting the malware to a specific audience while also making extra efforts to prevent it from being detected," Hromcova concludes.

More details about GoBotKR and its features can be found in the ESET blogpost «Malicious campaign targets South Korean users with backdoor-laced torrents"At

______________ The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).