A malware campaign has been targeting Korean TV torrent websites, according to researchers at ESET.
The malware, which is focused on South Korea, reportedly grants attackers remote control of the compromised devices. Researchers have dubbed the malware Win64/GoBot2 variant GoBotKR given that the actors behind GoBotKR are building a network of bots that can then be used to perform DDoS attacks of various kinds, according to today’s press release.
“The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions and icons,” says ESET researcher Zuzana Hromcová, who analyzed the malware. “Directly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file is often hidden in a different directory, and users might first encounter the malicious file mimicking it.”
Though not very technically complex, the malware collects system information about the compromised computer after being executed. According to the researchers, the information collected includes network configuration, OS version information and CPU and GPU versions along with a list of installed antivirus software.
“This information is sent to a C&C server, which helps the attackers determine which bots should be used in the respective attacks. All C&C servers that we extracted from the analyzed malware samples are hosted in South Korea and registered by the same person,” said Hromcová.
The evasion techniques of GoBotKR are from a researcher’s perspective, said Hromcová. One particularly notable technique is that when the malware scans running processes on the compromised system, it self-terminates if any of the products are detected.
“Overall, the modifications show us that the attackers customized the malware for a specific audience, while taking extra effort to remain undetected in their campaign” said Hromcová.