GoBotKR backdoor found targeting Korean movies and TV show fans

• GoBotKR disguises as South Korean movies and TV shows to lure users and evade detection.
• This malicious content is distributed via torrent sites.

A new variant of Win64/GoBot2 backdoor malware has found to be distributed via torrent sites. Dubbed as GoBotKR, the malware is targeting users who are a fan of Korean movies and TV shows.

How does it spread?

ESET researchers have found that the GoBotKR disguises as South Korean movies and TV shows to lure users and evade detection. These malicious contents are distributed via torrent sites.

The malware sample has been active since March 2018, with South Korea being the most affected (80%). China (10%) and Taiwan (5%) are the other countries that are impacted by GoBotKR.

Malicious files

These bobby-trapped contents that have deceptive filenames, extensions and icons are disguised in different file formats such as MP4 files, PMA archive files, as LNK files with a filename and icon mimicking the legitimate video file.

If users unwittingly open the malicious MP4 file, they encounter the malicious LNK file. This malicious LNK file executes the malware. Similarly, renaming the malicious EXE file to a PMA file is a technique used to prevent any suspicion from potential victims.

“During our investigation, we have seen the following filenames being used for the malicious executables: starcodec.pma, WedCodec.pma and Codec.pma (movie/TV show disguise) and leak.dll (game disguise). The name “starcodec” mimics the legitimate Korean codec pack Starcodec,” wrote the researchers in a blog post.

What are the capabilities of GoBotKR?

The functionality of GoBotKR largely overlaps with the GoBot2 source code. The malware variant is capable of collecting system information. This includes system configuration, OS version, CPU and GPU version and a list of installed antivirus software. The collected information is then sent to a C2 server handled by the attackers.

The GoBoTKR also receives the supported commands to:

• Carry out a DDoS attack on a specified victim;
• Access a URL;
• Execute a file, a command, a script;
• Update, terminate or uninstall itself;
• Shutdown/reboot/log off the computer;
• Change the homepage in IE;
• Change the desktop background;
• Seed torrents;
• Copy itself to connected removable media, and setup AutoRun function;
• Copy itself to public folders of cloud storage services (Dropbox, OneDrive, Google Drive);
• Run a reverse proxy server;
• Run an HTTP server;
• Change firewall settings, edit the hosts file, open a port;
• Enable/disable Task Manager;
• Enable/disable Windows registry editors;
• Enable/disable Command Prompt;
• Kill a process; and
• Hide a process window.