The ASEC analysis team is consistently monitoring the source of distribution of Korean malware, and recently, the team introduced UDP Rat and webhard posts that were used to distribute it. Since the upload of the post, the uploader who is speculated to be the attacker has been distributing similar malware disguised as adult games via other webhards, and they are still available for download.
– UDP RAT Malware Being Distributed via Webhards
The figure above shows that unlike the cases before where a compressed zip file was uploaded, a compressed egg file was uploaded. However, the compressed file is zip by nature. At the bottom of the post, there is an instruction that guides the user to decompress the file and execute Game.exe.
The uploader uploaded numerous posts containing malware using the same method. The attachments of the uploaded posts are all compressed zip files disguised as files with egg extension, and at the bottom of the post, there is an instruction to execute Game.exe.
When the file is decompressed, Game.exe is nowhere to be seen, and instead, the malware ‘Game..exe’ appears. Malware inside the compressed file below are Game..exe which is a launcher, wode.dat which injects a downloader to a normal process, and std.dat which drops and executes another launcher that executes wode.dat.
The infection flow of the malicious file Game..exe upon execution is as shown below. In short, through the process below, the malware injected into the normal process comsvcconfig.exe operates as a downloader. Note that the difference from the previous case is that the injector inside the compressed file (Chrome.exe) was downloaded via Discord.
The malware changes the name of the original game executable named index.dat inside the compressed file to Game.exe and executes it. Seeing this, the user assumes that the game is operating normally. The malware that actually executes malicious behavior is Chrome.exe, a malicious injector that is created inside a folder named Chrome in the Program Files path.
The malware that is executed by being injected into comsvcconfig.exe is a downloader just like in the previous blog post, and the C&C address is also similar. The path for downloading and installing additional malware is also the same.
– C&C URL : hxxp://ondisk.kibot[.]pw:8080/links/UserTree
As shown in the examples above, the malware is being distributed actively via file-sharing websites such as Korean webhards, and users must take extra caution. As such, caution is advised when approaching executables downloaded from a file-sharing website. We recommend users download products from the official websites of developers.
[File Detection]
Trojan/Win.Launcher.C4677140 (2021.10.05.03)
Dropper/Win.Korat.C4677223 (2021.10.05.03)
Downloader/Win.Korat.R443432 (2021.10.01.00)
Trojan/Win.Launcher.C4683332 (2021.10.09.00)
[IOC]
File
– Game..exe : 46c88574f4eb9ec382a2eb2f4ea9ea98
– std.dat : ab54586691e787b3f51ddb464feeac07
– wode.dat : 733ec7e0aad7dab5a377b836ccba02f6
– Proxy.exe : c57ce2e7d2e46a697da7ce030406a601
C&C Server
– Downloader malware C&C : hxxp://ondisk.kibot[.]pw:8080/links/UserTwo
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information