A variant of the Win64/GoBot2, GoBotKR malware is targeting South Korean TV torrent sites and can grant remote control access on compromised devices. It seems as though whoever is behind the campaign is attempting to create an army of bots that would be used to carry out DDoS attacks amongst other malicious activities. “The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions, and icons,” said researchers. Immediately opening the MP4 file that is attached will not have consequences right away but with this campaign, the MP4 file is hidden within a separate directory and users are more likely to come across the malicious replicated file first. GoBotKR simply collects system information such as network configuration, OS version information and CPU and GPU versions along with a list of installed antivirus software which is then sent to a C&C server. The information is used to figure out which bots should be implemented to carry out further attacks. Samples of the malware that were pulled and analyzed showed that all of the C&C servers have a host location in South Korea and are registered to the same user. A noted evasion technique of the malware is to terminate itself if it recognizes a malware scanner or anti-virus software. Small tweaks in this variant make it obvious that the malware is catering to a specific audience.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is