UDP RAT Malware Being Distributed via Webhards
While monitoring the distribution source of malware in Korea, the ASEC analysis team found that UDP RAT malware disguised as an adult game is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea.
Attackers normally use easily obtainable malware such as njRAT and UDP RAT and disguise them as normal programs such as games or adult content for distribution. Similar cases were introduced in the previous ASEC blogs multiple times:
– njRAT Being Distributed through Webhards and Torrents
– njRAT Malware Distributed via Major Korean Webhard
Malware types introduced in the posts above are still being found, and DDoS malware such as Simple UDP RAT is usually used instead of njRAT. As shown in the figure below, the download page of the webhard that distributes a compressed file containing malware is disguised as an adult game.
The attacker uses few other compressed files other than the post above to distribute the malware. Note that the games differ but the malware inside the compressed files is the same as what will be discussed below.
The downloaded compressed zip file has the following files, and the user would run the “Game..exe” file to play the game.
However, “Game..exe” is not a game program launcher, but a launcher malware that runs a different malware. It runs the stick.dat malware file that exists in the Dat folder with the routine below, and after copying the Ob.dat file as Game.exe, it runs the file.
The file that is copied as Game.exe and run is an actual game program launcher, thus the user would think that the game has run normally.
Once the process above is complete, the “Game..exe” file becomes hidden, therefore, the user then uses Game.exe, which is the copied game program launcher. Apart from that, the stick.dat file that was run via the launcher malware is the ALZIP SFX program, and it creates two malware “Uninstall.exe” and “op.gg.setup.apk” in the C:\Program Files\4.0389 folder.
After stick.dat creates the files, it runs Uninstall.exe. Uninstall.exe is another launcher malware that runs op.gg.setup.apk. Op.gg.setup.apk is a downloader malware that downloads the Op.gg.exe file from the following address in the same directory and runs it.
– Download URL: hxxps://cdn.discordapp[.]com/attachments/872548745902948365/889723452569845830/Op.gg.exe
Op.gg.exe registers itself to Run key, runs the normal program “C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe”, and injects the original malware. The original malware injected to SMSvcHost.exe is a downloader malware that periodically connects to the C&C server to obtain the address of additional malware to be downloaded.
– C&C URL: hxxp://ondisk.kibot[.]pw:8080/links/UserTwo
If the additional malware address is obtained from the C&C server, it downloads additional malware in C:\Steam_Kr\ folder and runs it as shown below.
As the team has not currently obtained the download URL from the C&C server, it could not check what the malware does after. However, numerous malware that is downloaded by such malware can be found in AhnLab’s ASD infrastructure. Most of the downloaded malware is open-source malware UDP Rat that can perform UDP Flood DdoS attacks.
The installed UDP Rat malware is usually packed with packers such as Themida to avoid detection, but some samples are not packed.
– C&C address of Simple UDP Rat: 37.0.11[.]171:49367
As shown in the examples above, the malware is being distributed actively via file sharing websites such as webhards. As such, caution is advised when approaching executables downloaded from a file-sharing website. We recommend users to download products from the official websites of developers.
[File Detection]
– Game..exe : Trojan/Win.Launcher.C4665771 (2021.10.01.01)
– stick.dat : Dropper/Win.Korat.C4662749 (2021.10.01.00)
– op.gg.setup.apk : Dropper/Win.Korat.R443431 (2021.10.01.00)
– Uninstall.exe : Trojan/Win.Launcher.C4665770 (2021.10.01.01)
– op.gg.exe : Downloader/Win.Korat.R443432 (2021.10.01.00)
– UDP RAT : Backdoor/Win.UDPRat.R443002 (2021.09.28.01)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
