Gobot virus5/2/2023 ![]() ![]() ![]() All the analyzed C&C servers were registered to the same person and were located in South Korea. This allows the attackers to generate a network of bots that can perform targeted DDoS attacks (Slowloris, SYN Flood, UDP Flood), and easily control any machine in the chain. Additionally, the PMA file is always presented as an alleged codec for the movie file under such names as WedCodec.pma or Codec.pma.Īs soon as the malware code is executed, it contacts a Command and Control server controlled by hackers, and sends out the following technical details: To make everything less suspicious, malware will indeed launch the intended video, but the malicious file will be executed in the background. However, because users do not see the executable (.exe) file visually, they do not have any suspicions and would open the LNK file, which would trigger the PMA file and install the malicious payload. Hackers hide the original MP4 file of the downloaded video under a different folder, and opening it directly would not infect the computer with GoBotKR. A malicious LNK file with a filename and icon mimicking the expected video file.A malicious executable masked as a PMA archive file with a filename mimicking various codec installers.Our analysis shows that the torrents using a movie/TV show disguise generally contain the following types of files: The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions and icons. In this case, the attackers booby-trap the malware inside the supposed TV show, movie or a video game directory, as explained by ESET's malware analyst Zuzana Hromcová: Peer-to-peer networks usually are poorly regulated, as malicious ad space can be bought by threat actors to exploit known vulnerabilities, and unknown groups place the alleged torrent files with the embedded malware payload. Torrent sites are known to distribute a variety of malware, and a variety of techniques can be used in order to inject the malicious code. The malicious payload is hidden in a renamed EXE file The added features include the execution of the malicious code with the help of legitimate Windows binaries combined with external clients like uTorrent or BitTorrent. However, the recently analyzed sample by ESET is a modified version of the backdoor, specially crafted to evade South Korean avoidance techniques. The on-going campaign was first spotted in May 2018 and was dubbed Win64/GoBot2 variant GoBotKR due to its prevalence in South Korea. Written in GoLang programming language, GoBot2 malware was first spotted back in March 2017 targeting South Korea, Taiwan, and China and has been publicly available to be utilized by cybercriminal groups ever since. The backdoor allows the attackers to execute arbitrary code on the infected machine and attach it to the DDoS botnet network. Security researchers at ESET recently uncovered a new malware campaign that targets South Korean TV show and movie torrent websites. A variant of GoBot2 backdoor includes Korean victims into a DDoS botnet, allows remote code executionĪ new malware campaign targets South Koreans with backdoor-induced TV show torrents ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |