A botnet dubbed GoBotKR is targeting fans of Korean TV, compromising computers via pirated copies of South Korean movies, games and TV shows available via Korean and Chinese torrent sites. Ultimately, the cybercriminals are building a network that can then be used to perform DDoS attacks of various kinds, according to an analysis from ESET.
While the torrents purport to be pirate versions of real content, they actually contain two malicious files (with deceptive filenames, extensions and icons), in addition to the expected MP4 file. The first is a malicious executable masked as a PMA archive file, with a filename mimicking various codec installers, according to ESET. The second is a malicious LNK file with a filename and icon mimicking the expected video file.
Clicking on the latter executes the malware, while also opening the MP4 and playing the expected content.
“Directly opening the intended MP4 file will not result in any malicious action,” the researchers said in a posting on Monday. “The catch here is that the MP4 file is often hidden in a different directory, and users might encounter the malicious LNK file mimicking it first. Further increasing the chance of users falling for the lure is the fact that the extension of the LNK file is normally not displayed when viewed in Windows Explorer.”
After being executed, GoBotKR collects system information about the compromised computer, including network configuration, OS version information, CPU and GPU versions, along with a list of installed antivirus software. Researchers said that the intel is then sent to the command-and-control (C2) server, to help the attackers determine which bots should be used in various attacks.
GoBotKR can also receive a “seed torrents” command, allows the attackers to misuse the victimized machines for seeding arbitrary files using the BitTorrent and uTorrent programs: “This may be used as a mechanism to distribute the malware further,” researchers noted.
The malware is a revamped version of a known backdoor named GoBot2, according to ESET. The code is straightforward, they added, with most features implemented with the use of GoLang libraries, and by executing Windows commands and third-party utilities, such as BitTorrent and uTorrent clients.
“The modifications to the source code are mainly South Korea-specific evasion techniques,” the researchers said. These include using the IP information of the compromised computer to detect whether it is running in Korean-specific security sandboxes; and, scanning running processes on the compromised system to detect selected antivirus products. If any of the products are detected, the malware terminates itself and removes some traces of its activity from the host. The list of detected processes includes products by AhnLab, a South Korean security company.
The botnet is indicative of a coding trend being used by threat actors, ESET researchers added. “Both the original and the modified version are written in GoLang, also known as Go,” they said. “While still relatively rare for malware, new variants of GoLang malware are emerging, likely due to the challenges posed to analysts with the bulky nature of its compiled executables.”
They added that since March 2018, GoBotKT has swelled in size (though they didn’t quantify the number of compromised endpoints). The bots are located mostly in South Korea (80 percent), China (10 percent) and Taiwan (5 percent).
Pirated content has been a well-known vector for spreading all kinds of malware for quite some time. In April, Kaspersky released a report that found that illegal downloads of HBO’s Game of Thrones accounted for 17 percent of all infected pirated content in the last year. And in Aug. 2018, researchers at ESET said they found DDoS modules had been added to a Kodi third-party add-on.
“To steer clear of similar attacks in the future, stick to official sources when downloading content,” according to ESET. “Before launching downloaded files, pay attention to whether their extensions match the intended filetypes. To keep your computer protected, we advise you to patch regularly and use reputable security software.”