Author Topic: Backdoored Torrents Infect Movie, TV Fans with GoBot2 Malware  (Read 452 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35122
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
TV show and movie fans are being targeted by a malicious campaign that distributes a GoBot2 backdoor variant via files downloaded from several South Korean and Chinese torrent sites.

The malware dubbed GoBotKR by the ESET researchers who discovered it is being disseminated as part of a campaign started back in May 2018, with hundreds of samples having already been detected on the compromised computers of users from South Korea, China, and Taiwan.

GoBotKR has been developed to specifically target South Korean fans and this is shown by the South Korea-specific evasion techniques added to the original GoBot2 backdoor.

The GoLang-based GoBotKR backdoor is built by customizing the GoBot2 malware publicly available since March 2017 and the features added using GoLang libraries get executed on compromised computers with the help of legitimate Windows binaries and "third-party utilities such as BitTorrent and uTorrent clients."

Used for seeding torrents, DDoS attacks

After infecting a victim's PC, the backdoor allows its operators to add the compromised machine to "a network of bots that can then be used to perform DDoS attacks of various kinds (e.g. SYN Flood, UDP Flood, or Slowloris)."

To do that it starts by gathering and exfiltrating system information (e.g., network and OS version info, CPU and GPU versions, and installed anti-malware solutions) to its command-and-control (C2) servers, making it possible for the attackers to cherry-pick which of the bots can be used in future attacks, among a huge list of other capabilities from executing commands and scripts to running proxy/HTTP servers.

Once added to the botnet, each of the bots can be used by the campaign operators in DDoS attacks — the main purpose behind the GoBotKR botnet according to the ESET research team — and for seeding torrents as a simple method to further spread the infection to other targets.


Scanning for running processes

Even though this newly discovered backdoor malware inherits some of its anti-analysis and evasion techniques from the GoBot2 malware, it also adds evasion methods specifically tailored for South Korean targets such as checking for the bot's IP address using the Naver and Daum platforms instead of Amazon Web Services and dnsDynamic.

It will also try to detect if several antivirus and analytical software from a hard-coded list is running on the compromised computer and it will terminate itself automatically and remove any traces if any of them are found running.

Mimicry used in the infection process

The threat actors add an LNK file to the downloaded folders designed to execute the malware payload delivered on their machines as a malicious PMA archive — which is a renamed EXE file designed to prevent raising any red flags — camouflaged using names mimicking video codec installers.

To trick targets into opening the LNK files, they have filenames that mimic ones the victims would expect the videos to have, with identically named MP4 videos being hidden inside another folder.

While for users who manage to find the hidden MP4 files and play them nothing happens, the ones who fall for the bad actors' tricks and double click the LNK files will execute the malware in the background, with the hidden video being opened in the foreground to hide the malicious activity.


Contents of malicious torrents

"Further increasing the chance of users falling for the lure is the fact that the extension of the LNK file is normally not displayed when viewed in Windows Explorer," adds ESET's research team.

The PMA executable archive uses various names depending on the torrent file it is embedded within, with starcodec.pma, WedCodec.pma, and Codec.pma when part of a TV show or movie torrent, and leak.dll when planted inside a pirated game torrent.

A full list of indicators of compromise (IOCs) is available at the end of ESET's GoBotKR report, including domains of C2 servers used by the attackers behind this campaign, malware sample hashes for multiple backdoor versions, and a table of MITRE ATT&CK Techniques used throughout the campaign.

source