A variant of the Win64/GoBot2, GoBotKR malware is targeting South Korean TV torrent sites and can grant remote control access on compromised devices. It seems as though whoever is behind the campaign is attempting to create an army of bots that would be used to carry out DDoS attacks amongst other malicious activities. “The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions, and icons,” said researchers. Immediately opening the MP4 file that is attached will not have consequences right away but with this campaign, the MP4 file is hidden within a separate directory and users are more likely to come across the malicious replicated file first. GoBotKR simply collects system information such as network configuration, OS version information and CPU and GPU versions along with a list of installed antivirus software which is then sent to a C&C server. The information is used to figure out which bots should be implemented to carry out further attacks. Samples of the malware that were pulled and analyzed showed that all of the C&C servers have a host location in South Korea and are registered to the same user. A noted evasion technique of the malware is to terminate itself if it recognizes a malware scanner or anti-virus software. Small tweaks in this variant make it obvious that the malware is catering to a specific audience.
Analyst Notes
A reliable security solution such a scanner is suggested to determine if a user has been affected by the malware. The scanner will go through a user’s computer, locate the presence of a threat and remove it. Avoid sites distributing pirated content as this is a known vector for attackers to plant malicious content. If extensions do not match intended filetypes they should not be downloaded. Users should regularly patch their devices and implement trusted security software to stay protected.
