ESET researchers have discovered and analyzed a malicious campaign in progress, which distributes a backdoor via torrents, using Korean TV content (movies, shows) and often games as bait.
The backdoor has spread through South Korean torrent sites and China. Το malware επιτρέπει στον εισβολέα να συνδέσει τον παραβιασμένο computer into a botnet and control it remotely.
This malware is a modified version of GoBot2, a publicly available backdoor. The source code modifications mainly concern escape techniques specifically for use in South Korea. As the campaign clearly targets that country, ESET has named GoBotKR the specific version of Win64 / GoBot2. According to ESET telemetry, GoBotKR is active by 2018. South Korea is the country with the most attacks (80% of detections), followed by China (10%) and Taiwan (5%).
"The cybercriminals behind this campaign are trying to trick users into running malware by placing malicious files with malicious file names, extensions and icons in the content of torrents," said ESET researcher Zuzana. Hromcova, who analyzed the malware.
No malicious action will occur directly by opening the MP4 file. The trap here is that the MP4 file is often hidden in a different directory, and users may first encounter the malicious file that mimics it.
According to ESET, malware is not technically complex. However, the cybercriminals behind GoBotKR are building a network of bots, which can then be used to carry out various types of DDoS attacks. Therefore, after running, GoBotKR first collects system information about the affected computer, such as network settings, operating system release information, CPU, and GPU.
Specifically, it collects a list of installed productantiviruses. This information is sent to a C&C server, which helps attackers determine which bots can be used in their respective attacks. "All C&C servers found through the malware samples analyzed were found to be hosted in South Korea and registered by the same person," Hromcova explains in her research.
The bot has many features, such as allowing abuse of the compromised computer, or enabling botnet operators to further control or extend the botnet. It also allows to avoid detection and concealment by the user.
Other supported commands include the ability to direct a DDoS attack on specific victims, copy the malware to connected removable media or to public cloud storage services folders (Dropbox, OneDrive, Google Drive), as well as implanting torrents with the malicious file as a means of further expanding the botnet.
From a research perspective, GoBotKR is of particular interest for its evasion techniques, which were adapted to target South Korea. Specifically, the malware scans processes running on the compromised system to detect specific antivirus products, including those of a companyof South Korea's security solutions.
If any of the products are found, they are terminated. Another escape technique detects system-running analytics tools, again targeting the same South Korean security firm. In the third avoidance technique, the intruders misused legitimate South Korean electronic platforms to determine the victim's IP address.
"Overall, the modifications show us that the attackers are adapting the malware to a specific audience while also making extra efforts to prevent it from being detected," Hromcova concludes.
More details about GoBotKR and its features can be found in the ESET blogpost «Malicious campaign targets South Korean users with backdoor-laced torrents"At WeLiveSecurity.com.
______________
- Cloudflare what the end of 8chan support for pirate sites means
- Watch List ready European piracy watch list ready
- Online Piracy: The story of piracy before the World Wide Web