ESET researchers have discovered a malicious campaign distributing a backdoor via torrents, with Korean TV content used as a lure.
Fans of Korean TV should be on the lookout for an ongoing campaign spreading malware via torrent sites, using South Korean movies and TV shows as a guise. The malware allows the attacker to connect the compromised computer to a botnet and control it remotely.
The malware is a modified version of a publicly available backdoor named GoBot2. The modifications to the source code are mainly South Korea-specific evasion techniques, which are described in detail in this blogpost. Due to the campaign’s clear focus on South Korea, we have dubbed this Win64/GoBot2 variant GoBotKR.
According to ESET telemetry, GoBotKR has been active since March 2018. The detections are in the hundreds, with South Korea being the most affected (80%), followed by China (10%) and Taiwan (5%).
GoBotKR has been spreading via South Korean and Chinese torrent sites, masquerading as Korean movies and TV shows, as well as some games.
The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions and icons. Our analysis shows that the torrents using a movie/TV show disguise generally contain the following types of files:
- The expected MP4 file
- A malicious executable masked as a PMA archive file with a filename mimicking various codec installers
- A malicious LNK file with a filename and icon mimicking the expected video file
Figure 1 shows examples of torrent contents from this malicious campaign.
So how exactly do users get compromised?
Directly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file is often hidden in a different directory, and users might encounter the malicious LNK file mimicking it first. Further increasing the chance of users falling for the lure is the fact that the extension of the LNK file is normally not displayed when viewed in Windows Explorer, as seen in the second screenshot in Figure 1, in the file with the Korean name.
Clicking on the deceptive LNK file executes the malware. However, it also opens the intended file (in this case a video), giving victims little reason to suspect something has gone wrong.
Renaming the malicious EXE file to a PMA file is also likely done to prevent raising suspicion of potential victims. We have also seen this technique using games as a lure, and with filenames and extensions relevant to gaming.
During our investigation, we have seen the following filenames being used for the malicious executables: starcodec.pma, WedCodec.pma and Codec.pma (movie/TV show disguise) and leak.dll (game disguise). The name “starcodec” mimics the legitimate Korean codec pack Starcodec.
GoBotKR was built on the basis of a backdoor named GoBot2, the source code of which has been publicly available since March 2017. Both the original and the modified version are written in GoLang, also known as Go. While still relatively rare for malware, new variants of GoLang malware are emerging, likely due to the challenges posed to analysts with the bulky nature of its compiled executables.
The functionality of GoBotKR largely overlaps with the published GoBot2 source code, with only minimal modifications. Overall, the malware is not particularly complex technically, and the implementation is rather straightforward. Most features are implemented with the use of GoLang libraries, and by executing Windows commands (such as cmd, ipconfig, netsh, shutdown, start, systeminfo, taskkill, ver, whoami, and wmic), and third-party utilities such as BitTorrent and uTorrent clients.
Ultimately, the actors behind GoBotKR are building a network of bots that can then be used to perform DDoS attacks of various kinds (e.g. SYN Flood, UDP Flood, or Slowloris). Therefore, after being executed, GoBotKR first collects system information about the compromised computer, including network configuration, OS version information, CPU and GPU versions. In particular, it collects a list of installed antivirus software.
This information is sent to a C&C server, which helps the attackers determine which bots should be used in the respective attacks. All C&C servers that we extracted from the analyzed malware samples are hosted in South Korea and registered by the same person.
Once communication with the C&C server is established, the server instructs the compromised computer with backdoor commands. GoBotKR supports fairly standard botnet functions, which mostly serve three main purposes:
- allowing misuse of the compromised computer
- allowing the botnet operators to control, or further extend, the botnet
- evading detection or hiding from the user
These are the supported commands:
- carry out a DDoS attack on a specified victim
- access a URL
- execute a file, a command, a script
- update, terminate or uninstall itself
- shutdown/reboot/log off the computer
- change homepage in IE
- change desktop background
- seed torrents
- copy itself to connected removable media, and setup AutoRun function
- copy itself to public folders of cloud storage services (Dropbox, OneDrive, Google Drive)
- run a reverse proxy server
- run an HTTP server
- change firewall settings, edit hosts file, open a port
- enable/disable Task Manager
- enable/disable Windows registry editors
- enable/disable Command Prompt
- kill a process
- hide a process window
Of particular interest are two commands – seeding torrents and DDoS capability.
The “seed torrents” command allows the attackers to misuse the victimized machines for seeding arbitrary files using the BitTorrent and uTorrent programs, even if these are not already installed on the system. This may be used as a mechanism to distribute the malware further.
The “carry out a DDoS attack” command lets attackers abuse the victim’s network bandwidth to block the availability of targeted services, such as websites. According to our analysis, this is most likely the main purpose of the GoBotKR botnet.
In this section, we explore the evasion techniques used by the GoBotKR backdoor. While many techniques were already present in the publicly available source code, the authors of GoBotKR further expanded them with South Korea-specific features. This shows us that the attackers customized the malware for a specific audience, while taking extra effort to remain undetected in their campaign.
Techniques taken from GoBot2
The following detection evasion and anti-analysis techniques used by GoBotKR have been adopted from GoBot2 source code:
- The malware installs two instances of itself on the system. The second instance (watchdog) monitors whether the first instance is still active and reinstalls it if it has been removed from the system.
- The malware employs antivirus bypass techniques (it allocates large chunks of memory and delays execution of the malicious payload to prevent antivirus engines from emulating the code due to resource constraints).
- The malware can detect selected security and analytical tools, such as debuggers. If detected, it terminates itself.
- The malware terminates itself if IP information of the victim suggests one of several blacklisted organizations (e.g. Amazon, BitDefender, Cisco, ESET). It uses external legitimate websites for querying IP information and searches for hardcoded strings in this information (e.g. “cloud”, “Cisco”, “Microsoft”), rather than using API functions.
- The malware terminates itself if its file name consists of 32 hexadecimal characters, which prevents the payload from being executed in some automated sandboxes.
South Korea-specific modifications in GoBotKR
The authors of GoBotKR added three new evasion techniques, related to their focus on South Korea:
- As explained in the previous section, the malware uses IP information of the compromised computer to detect whether it is running in one of the blacklisted organizations. In GoBot2, the IP address of the victim is determined by accessing Amazon Web Services or dnsDynamic and parsing the reply.
In the samples of GoBotKR we analyzed, these URLs are replaced with South Korean online platforms Naver and Daum.
- GoBotKR features a new evasion technique that scans running processes on the compromised system to detect selected antivirus products (listed in Table 1). If any of the products are detected, the malware terminates itself and removes some traces of its activity from the host. The list of detected processes includes products by AhnLab, a South Korean security company.
|Process name substring||Associated company/product|
|V3Lite||AhnLab, V3 Internet Security|
|V3Clinic||AhnLab, V3 Internet Security|
|RwVnSvc||AhnLab Anti-Ransomware Tool|
|360||360 Total Security|
|kwsprotect||Kingsoft Internet Security|
Table 1. List of security products detected by GoBotKR
- The malware tries to detect analytical tools running on the system. It terminates itself if any of them are detected. The list is internally named “ahnNames”, which might be another reference to AhnLab.
In addition to the AhnLab references, the defensive techniques described in the second and third points were added into the source code as a file named AhnLab.go, according to the metadata we obtained from the malware.
Because the malware is spreading via torrents, a lot of the samples are broken or incomplete. We were, however, able to recover C&C servers and internal version information.
Since the malware was first seen, we have detected samples with internal versions 2.0, 2.3, 2.4, and 2.5. Each of these versions comes with some minor technical improvements or differences in implementation. The versioning differs from that used in the GoBot2 source code, where an internal name “ArchDuke” is used.
Table 2 lists the different versions of GoBotKR detected by ESET systems from May 2018 to the time of writing. The timeline features the malware’s internal versioning and detection dates, as PE timestamps have been cleared from the samples.
|First seen||Internal version||Functionality linked to South Korea||C&C server|
Table 2. GoBotKR version timeline
As seen in the table, the first malware samples detected in May 2018 were not yet customized for South Korean targets and were thus almost identical to the GoBot2 source code. However, we were able to link them to newer samples because they used the same C&C server.
How to stay safe
If you suspect you might have fallen victim to this malware campaign, we recommend you scan your computer with a reliable security solution. ESET products detect and block this malware under the detection name Win64/GoBot2. You can use ESET’s Free Online Scanner to check your computer for the presence of this threat and remove anything that is detected. Existing ESET customers are protected automatically.
Pirated content distributed via torrent sites is a well-known vector for spreading all kinds of malware. To steer clear of similar attacks in the future, stick to official sources when downloading content. Before launching downloaded files, pay attention to whether their extensions match the intended filetypes. To keep your computer protected, we advise you to patch regularly and use reputable security software.
Indicators of Compromise (IoCs)
ESET detection name
Note that some malware samples may be corrupted due to the nature of its distribution mechanism (torrents).
The registry key used by GoBotKR is a subkey under [HKCU\SOFTWARE] with a variable name from a hardcoded list, mostly mimicking legitimate software names.
The following registry values are used:
MITRE ATT&CK Techniques
|Initial Access||T1189||Drive-by Compromise||GoBotKR has been distributed through torrent file-sharing websites to South Korean victims, using games or Korean movie/TV series as a lure.|
|Execution||T1059||Command-Line Interface||GoBotKR uses cmd.exe to execute commands.|
|T1064||Scripting||GoBotKR can download and execute scripts .|
|T1204||User Execution||GoBotKR makes their malware look like the torrent content that the user intended to download, in order to entice a user to click on it.|
|Persistence||T1060||Registry Run Keys / Startup Folder||GoBotKR installs itself under registry run keys to establish persistence.|
|T1053||Scheduled Task||GoBotKR schedules a task that adds a registry run key to establish malware persistence.|
|Privilege Escalation||T1088||Bypass User Account Control||GoBotKR attempts to bypass UAC using Registry Hijacking.|
|Defense Evasion||T1140||Deobfuscate/Decode Files or Information||GoBotKR has used base64 to obfuscate strings, commands and files.|
|T1089||Disabling Security Tools||GoBotKR may use netsh to add local firewall rule exceptions.|
|T1158||Hidden Files and Directories||GoBotKR stores itself in a file with Hidden and System attributes.|
|T1070||Indicator Removal on Host||GoBotKR removes the Zone identifier from the ADS (Alternate Data Streams) of the file, to conceal the fact the file has been downloaded from the internet.|
|T1036||Masquerading||GoBotKR uses filenames and registry key names associated with legitimate software.|
|T1112||Modify Registry||GoBotKR stores its configuration data in registry keys.
GoBotKR can modify registry keys to disable Task Manager, Registry Editor and Command Prompt.
|T1027||Obfuscated Files or Information||GoBotKR uses base64 to obfuscate strings, commands and files.|
|T1108||Redundant Access||GoBotKR installs a second copy of itself on the system, which monitors and reinstalls the primary copy if it has been removed.|
|T1497||Virtualization/Sandbox Evasion||GoBotKR performs several checks on the compromised machine to avoid being emulated or executed in a sandbox.|
|Discovery||T1063||Security Software Discovery||GoBotKR checks for processes associated with security products and debugging tools, and terminates itself if any are detected. It can enumerate installed antivirus software using the wmic command.|
|T1082||System Information Discovery||GoBotKR uses wmic, systeminfo and ver commands to collect information about the system and the installed software.|
|T1016||System Network Configuration Discovery||GoBotKR uses netsh and ipconfig to collect information about the network configuration. It has used Naver and Daum portals to obtain the client IP address.|
|T1033||System Owner/User Discovery||GoBotKR uses whoami to obtain information about the victimized user. It runs tests to determine the privilege level of the compromised user.|
|T1124||System Time Discovery||GoBotKR can obtain the date and time of the compromised system.|
|Lateral Movement||T1105||Remote File Copy||GoBotKR attempts to copy itself into public folders of cloud storage services (Google Drive, Dropbox, OneDrive).
It is also able to spread itself by instructing the compromised machine to seed torrents with the malicious file.
|T1091||Replication Through Removable Media||GoBotKR can drop itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.|
|Collection||T1113||Screen Capture||GoBotKR is capable of capturing screenshots.|
|Command and Control||T1090||Connection Proxy||GoBotKR can be used as a proxy server.|
|T1132||Data Encoding||The communication with the C&C server is base64 encoded.|
|T1105||Remote File Copy||GoBotKR can download additional files and update itself.|
|T1071||Standard Application Layer Protocol||GoBotKR uses HTTP or HTTPS for C&C.|
|T1065||Uncommonly Used Port||GoBotKR uses non-standard ports, such as 6446, 6556 and 7777, for C&C.|
|Impact||T1499||Endpoint Denial of Service||GoBotKR has been used to execute endpoint DDoS attacks – for example, TCP Flood or SYN Flood.|
|T1498||Network Denial of Service||GoBotKR has been used to execute network DDoS.|
|T1496||Resource Hijacking||GoBotKR can use the compromised computer’s network bandwidth to seed torrents or execute DDoS.|