A variant of GoBot2 backdoor includes Korean victims into a DDoS botnet, allows remote code execution
Security researchers at ESET recently uncovered a new malware campaign that targets South Korean TV show and movie torrent websites. The backdoor allows the attackers to execute arbitrary code on the infected machine and attach it to the DDoS botnet network.
Written in GoLang programming language, GoBot2 malware was first spotted back in March 2017 targeting South Korea, Taiwan, and China and has been publicly available to be utilized by cybercriminal groups ever since. The on-going campaign was first spotted in May 2018 and was dubbed Win64/GoBot2 variant GoBotKR due to its prevalence in South Korea.
However, the recently analyzed sample by ESET is a modified version of the backdoor, specially crafted to evade South Korean avoidance techniques. The added features include the execution of the malicious code with the help of legitimate Windows binaries combined with external clients like uTorrent or BitTorrent.
The malicious payload is hidden in a renamed EXE file
Torrent sites are known to distribute a variety of malware, and a variety of techniques can be used in order to inject the malicious code. Peer-to-peer networks usually are poorly regulated, as malicious ad space can be bought by threat actors to exploit known vulnerabilities, and unknown groups place the alleged torrent files with the embedded malware payload.
In this case, the attackers booby-trap the malware inside the supposed TV show, movie or a video game directory, as explained by ESET's malware analyst Zuzana Hromcová:
The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions and icons. Our analysis shows that the torrents using a movie/TV show disguise generally contain the following types of files:
- The expected MP4 file
- A malicious executable masked as a PMA archive file with a filename mimicking various codec installers
- A malicious LNK file with a filename and icon mimicking the expected video file
Hackers hide the original MP4 file of the downloaded video under a different folder, and opening it directly would not infect the computer with GoBotKR. However, because users do not see the executable (.exe) file visually, they do not have any suspicions and would open the LNK file, which would trigger the PMA file and install the malicious payload.
To make everything less suspicious, malware will indeed launch the intended video, but the malicious file will be executed in the background. Additionally, the PMA file is always presented as an alleged codec for the movie file under such names as WedCodec.pma or Codec.pma.
As soon as the malware code is executed, it contacts a Command and Control server controlled by hackers, and sends out the following technical details:
- OS version
- Network configuration.
This allows the attackers to generate a network of bots that can perform targeted DDoS attacks (Slowloris, SYN Flood, UDP Flood), and easily control any machine in the chain. All the analyzed C&C servers were registered to the same person and were located in South Korea.
The “seed torrents” feature converts the compromised machine into a malware distribution hub
ESET researchers provided a variety of GoBotKR capabilities in the report, including script/command execution, self-termination, alternation of browser settings as well as desktop background, running of the HTTPS server, disable/enable of Command Prompt, process kill, Firewall settings change, etc.
However, possibly the most interesting and key feature of the malware is seeding torrents potential. According to ESET's analysis, it allows to convert the host machine into malware distributor:
The “seed torrents” command allows the attackers to misuse the victimized machines for seeding arbitrary files using the BitTorrent and uTorrent programs, even if these are not already installed on the system. This may be used as a mechanism to distribute the malware further.