While monitoring the distribution source of malware in Korea, the ASEC analysis team has discovered that DDoS IRC Bot strains disguised as adult games are being installed via webhards. Webhards are platforms commonly used for the distribution of malware in Korea, where njRAT and UDP Rat were distributed in the past.
The cases that are recently being discovered are similar to the case discussed in the post above, and it appears that the same attacker is continuing to distribute the malware. For starters, the malware is being distributed under the guise of adult games. Additionally, the DDoS malware was installed via downloader and UDP Rat was used.
One difference is that the previous downloader malware was developed using C#, but now GoLang is used instead. The publicly released open-source Simple-IRC-Botnet (DDoS IRC Bot malware developed with GoLang) was also used along with UDP Rat.
The GoLang is used by various attackers and its usage is increasing recently due to various strengths it has: its low development difficulties and its cross-platform support. Following such a trend, cases that use GoLang are increasing in Korat malware strains that target Korean users.
As shown in the figure below, malware disguised as an adult game is uploaded to the webhard.
While it is uncertain whether the person who uploaded this game is the attacker, similar posts are distributing the same malware using compressed files. Note that the games differ but the malware inside the compressed files is the same as what will be discussed below.
The adult games used for attacks contain the following path name. This means that they were distributed through the compressed files with the following names.
– [19 Korean version] Naughty Mage’s EXXXXX Life
– [19 Korean version] The Reason She Became a Slave
– [19 Korean version] Refraining of Heavenly Walk
– [19 Korean version] Exchange Diary of Violation
– [19 Korean version] Girl From Tea Ceremony Club
– [19 Korean version] Curse of Lilia
– [19 Korean version] Academy with Magical Girls
– [19 Korean version] Monster Fight
– [19 Korean version] Dreamy Lilium
– [19 Korean version] Enraged Department Manager
– [19 Korean version] Fancy Days of Sayuri
– [19 Korean version] Sleif Corporation
– [19 Korean version] Country Girl Exposure
– [19 Korean version] Sylvia and Master of Medicine
– [19 Korean version] Assassin Asca
– [19 Korean version] How to Reform Your Girlfriend
– [19 Korean version] Creating Utopia with Subjugation Skill
– [19 Korean version] Uriel and Belial
– [19 Korean version] The Case of Chairperson Kana
– [19 Korean version] Princess Round
– [19 Korean version] Flora and the Root of the World Tree
– [19 Korean version] Midnight Exposure
– [19 Korean version] Modern Day Elf
– [19 Korean version] Research Data of Homunculus
Upon decompressing the downloaded zip file, the following files appear. Normally, users would run the “Game_Open.exe” file shown below to play the game.
But “Game_Open.exe” is not a launcher that runs the game. It is an executable that runs the additional malware. To be more precise, it changes the “PN” file existing in the same path as “scall.dll” and runs it. Then it copies the original game executable “index” to “Game.exe” to run it. As such, users would assume that the game is being run normally.
Once the process above is complete, the “Game_Open.exe” file becomes hidden. After hidden, users would run “Game.exe” which is a copy of game program launcher. Note that “PN” file that was changed to “scall.exe” and executed is malware. It first moves “srt” file existing in the same path to C:\Program Files\EdmGen.exe.
It then registers “EdmGen.exe” to the task scheduler using the following command to have it run periodically.
“C:\Windows\System32\cmd.exe” /c SCHTASKS /CREATE /SC ONSTART /NP /TN “Windows Google” /TR “C:\Program Files\EdmGen.exe”
“EdmGen.exe” (“srt” file) that is executed by the process shown above runs the normal program vbc.exe and injects malware into the program. The malware that is injected to vbc.exe and executed is also a downloader type discussed in the previous ASEC blog post. One difference is that it was developed with GoLang instead of C#.
The malware can periodically access the C&C server as shown below to obtain the URL of malware that will be downloaded to install additional malware.
- Download URL for Additional Malware: hxxp://node.kibot[.]pw:8880/links/01-13
- Creation Path of Downloaded Malware: C:\Down\discord_[random characters]\[malware name]
Previously, the type of additionally installed malware was UDP Rat DDoS. Yet for this case, there was also Simple-IRC-Botnet developed with GoLang.
It is also a type of DDoS Bot malware, but it uses IRC protocols to communicate with the C&C server. Unlike UDP Rat that only supported UDP Flooding attacks, it can also support attacks such as Slowris, Goldeneye, and Hulk DDoS.
Golang DDoS IRC Bot connects to a particular IRC server when it is run and enters the attacker’s channel. It can perform DDoS attacks on a target if the attacker sends commands from the channel.
– IRC Server List Used by Golang DDoS IRC Bot Malware
As shown in the examples above, the malware is being distributed actively via file sharing websites such as Korean webhards. As such, caution is advised when approaching executables downloaded from a file-sharing website. It is recommend for the users to download products from the official websites of developers.
– Game Launcher
– UDP Rat
– Golang DDoS IRC Bot
– Downloader Malware
– UDP Rat
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.