An IRC bot has been discovered launching DDoS attacks. It is spreading by presenting itself as adult games and is targeting users in Korea.

The attack tactics

Researchers noted that the attackers are distributing the malware via file-sharing websites such as Korean WebHards.
  • First, the malware-laced games are uploaded to webhards (a type of remote file hosting service) in the form of compressed ZIP archives.
  • If opened, an executable (Game_Open[.]exe) is staged to run a malware payload, while launching the actual game.

How does it work?

The DDoS IRC bot is installed through a downloader (developed in GoLang), UDP RAT, and uses a publicly released open-source Simple-IRC-Botnet.
  • The malware uses IRC protocols to communicate with the C2 server. It connects to a specific IRC server while running and inputs the attacker's channel. It can carry out DDoS attacks on a target if commands are sent from the channel.
  • While the UDP RAT supports only UDP Flooding attacks, this one supports additional attacks such as Hulk DDoS, Slowloris, and Goldeneye.

Conclusion

The DDoS IRC bot is new and not widely spread at the moment. However, it is still being disseminated actively via Korean webhards, indicating a specific selection of potential victims. It is recommended to stay alert when downloading files from a file-sharing website and use official sources for download.

Cyware Publisher

Publisher

Cyware