Malware Distributed via Discord along with Illegal Pornography

The ASEC analysis team recently discovered batches of RAT (Remote Administration Tool) malware that is being distributed via Discord messenger. Currently, a downloader malware that downloads these batches of malware is being distributed under the name ‘porn URL.exe’ and when this malware is run, it downloads various RAT malwares externally and installs them.

Discord is an instant messenger program that supports text chat, voice chat, and video chat. This program is one of the most popular instant messengers that is being widely used in Korea. It is mostly used by gamers during gameplay for features such as voice chat, but many other users use Discord for social chatting and other various purposes.

Because it is designed as a private instant messenger, it can be used for illegal purposes as shown below. The following is a Discord chat room created to distribute illegal pornography and malware named ‘porn URL.exe.’

Figure 1. Discord chat room created to distribute malware and illegal pornography

The distributor of illegal pornography and malware prompts the users to download and run a tool named ‘porn URL.exe’ via the following message. It also prompts the users to remove anti-malware program or disable real-time scan to avoid anti-malware detection.

Figure 2. Message that prompts the users to download ‘porn URL.exe’ file

Upon clicking the link above, a zip file named ‘link.zip’ is downloaded, and upon extracting the file, a downloader malware named ‘porn URL.exe’ is found. You can see the following GUI when the program is run.

Figure 3. GUI of ‘porn URL.exe’ program

Upon clicking each button, the users can see illegal pornographic videos and photos being distributed via mega.nz file-sharing website (see figure below).

Figure 4. mega.nz website that is being used to distribute pornography

Note that each button contains numerous illegal pornographic files that use mega.nz. The program has 30 buttons which means that the number of file-sharing websites is at least equivalent to that number. while some URLs are currently unavailable, many links are still working, and as one website has several illegal pornographic videos and photos in it, it is hard to fathom how many pornographic files are actually there.

Figure 5. Several illegal pornography sharing pages

In addition, this ‘porn URL.exe’ program is not only used in distribution of illegal videos, but also of malware. When running ‘porn URL.exe,’ it downloads 2 malwares from the website below before showing the GUI in the figure above.

Figure 6. Download of additional malware

vs.txt, the first one to be connected, contains version info, and this was added in the latest version by the attacker for version management. Upon visiting the website, the following uploaded malware will be shown.

Figure 7. Website used to distribute malware

The following is the file info confirmed to be related to ‘porn URL.exe.’

a. porn URL.exe
– md5
d7e9544a8c8df86f738e4898025bf207
– Additional malware download URL
http[:]//websh.p-e[.]kr/reg.exe

b. porn URL.exe
– md5
40621e3e9b68469697262e5766e596d9
– Additional malware download URL
http[:]//websh.p-e[.]kr/Server.exe
http[:]//websh.p-e[.]kr/reg.exe

c. porn URL.exe v0.0
– md5
521dd96ef9565777c5c388b00146c3eb
– Additional malware download URL
http[:]//websh.p-e[.]kr/Update.exe
http[:]//websh.p-e[.]kr/reg.exe

d. porn URL.exe v0.1
– md5
2116181929f8eaf1e28990e6ba56bf11
– Additional malware download URL
http[:]//websh.p-e[.]kr/Update.exe
http[:]//websh.p-e[.]kr/reg.exe

The additionally downloaded malware is njRAT and AsyncRAT. Both are RAT malware that receives attacker’s command from the C&C server and performs malicious activities. In Korea, njRAT is being distributed via webhard and torrent.

AsyncRAT is an open-source RAT tool developed with .NET, and like njRAT and other RAT type malware, it can perform malicious activities such as keylogging, screenshot logging, and account info extraction.

Figure 8. AsyncRAT open-source page

Malware is downloaded to file path C:\Program Files (x86)\Windows File\, and run under the name of reg.exe, Update.exe, and Server.exe. Also, since AsyncRAT performs injection to normal process InstallUtil.exe, simply checking process name is not enough.

The attacker is periodically changing the downloader and the additional downloaded malware to bypass detection. The attacker even added a routine that checks for version to make sure only the latest-version malware is run, and recently discovered AsyncRAT and njRAT are using Themida for packing to bypass detection and analysis.

Users must take caution as such malware is being actively distributed by abusing Discord. Users must also be aware of that the act of sharing illegal videos equals a violation of the law, and must not download files from unknown sources. V3 should be updated to the latest version so that malware infection can be prevented as well.

AhnLab’s anti-malware product V3 detects the malware above using the aliases below.

[File Detection]
Trojan/Win32.MSILKrypt.C4265600 (2020.12.18.04)
Trojan/Win32.MSILKrypt.C4266357 (2020.12.19.09)
Trojan/Win32.MSILKrypt.C4266361 (2020.12.19.09)
Trojan/Win32.AsyncRAT.C4265591 (2020.12.18.04)
Trojan/Win32.AsyncRAT.C4265605 (2020.12.18.04)
Trojan/Win32.AsyncRAT.C4265840 (2020.12.18.07)
Trojan/Win32.Korat.R207428 (2017.08.25.03)
Malware/Win32.RL_Generic.C4265239 (2020.12.18.01)
Backdoor/Win32.LimeRAT.C4266728 (2020.12.20.08)
Backdoor/Win32.LimeRat.R359305 (2020.12.21.05)

[Behavior Detection]
Malware/MDP.Inject.M3034
Malware/MDP.Behavior.M3108

[IoC]
– Download URL
http[:]//websh.p-e[.]kr/Update.exe
http[:]//websh.p-e[.]kr/Server.exe
http[:]//websh.p-e[.]kr/reg.exe

– MD5
Downloader Malware
2116181929f8eaf1e28990e6ba56bf11
521dd96ef9565777c5c388b00146c3eb
40621e3e9b68469697262e5766e596d9
d7e9544a8c8df86f738e4898025bf207
AsyncRAT
ec48a1a19969f1703022212e5e681bab
bc282ef8aecb7b9fb8ebf2703d11e4ee
076ac88a3316f668b5de5d76a279f835
a61de9af8dae6d601067dec8ae5783fb
6116558014180951c10428c2491e97dc
77393e0212e2090a5ab04a290c79a913
njRAT
808e1ade2dea30a742f120a5a26d6a32
6bc71222c8004fe42572c948e90629cf
144de52e7ecc73be34d350401ef814ed
47f99fb35cb7bd2e54e35695d9f5db4e

– C&C Address
AsyncRAT
daue.kro[.]kr:1324
njRAT
gore.p-e[.]kr:5555
gore.r-e[.]kr:5552

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments