Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. Generally, attackers distribute malware through illegal programs such as adult games and crack versions of games. Those who use webhards as a distribution path typically install RAT type malware such as njRAT, UdpRAT, and DDoS IRC Bot.
- njRAT Malware Distributed via Major Korean Webhard
- UDP RAT Malware Being Distributed via Webhards
- DDoS IRC Bot Malware (GoLang) Being Distributed via Webhards
As shown in the cases covered by the posts above, threat actors are periodically using various types of malware. The ASEC analysis team has recently discovered that a DDoS Bot malware called “HH IRC Bot” is being distributed. Based on our search using the strings and features used in the malware, it seems that this malware was shared on a hacking forum below in 2012. HH is the abbreviation for HackHound and is described as the official IRC Bot of the Hackhound forum.
IRC (Internet Relay Chat) is a real-time Internet chat protocol developed in 1988. Users access certain channels of certain IRC servers and chat with other users who have accessed onto the same channel in real time. IRC Bot is a malware that abuses this IRC service for communications with C&C servers. The IRC Bot installed on the infected system accesses an IRC server’s channel designated by the threat actor according to the IRC protocol, after which it transmits stolen information to the specified channel. Another case of IRC Bot is that when an attacker enters a particular string, the IRC Bot receives this as a command and performs the corresponding malicious behavior.
IRC Bot malware have steadily been used from because it utilizes preexisting IRC protocols and IRC servers, leaving attackers with no need to develop additional C&C server and protocols. The Simple-IRC-Botnet developed with GoLang would be an example case as mentioned above.
Currently, the file that the threat actor uploaded cannot be found in webhards, but it is deemed that they were disguised as adult games, similar to the cases in the past, and distributed through the following paths.
- \Time-stop Lesson (2)\d4work.dll
- \Baby_Making_Life_Showered_With_Love_From_A_Yandere_Sister_04_10 (2)\d3dcompiler_46.dll
- \No Sandwiches (2)\d3dcompiler_46.dll
- \Teaching Feeling\save.dll
Such compressed game files are uploaded to webhards, and they contain njRAT malware. For reference, the distributed filenames such as “d4work.dll” and “d3dcompiler_46.dll” have been commonly used in the distribution of njRAT from the past.
It seems that this attack is the work of the same threat actor as the ones in the past due to the following factors: Webhards were used as the main distribution channel, the filenames are identical to those used in past attacks, IRC malware are used as in the past case where Golang DDoS IRC Bot malware was used, and aside from njRAT and HackHound IRC Bot, UDP Rat was also used in the attack.
The distributed njRATs are packed and obfuscated in various ways, and use the version that uses “|’|’|” as the separator.
njRAT resides in the infected system and receives commands from the threat actor to perform various malicious acts. The threat actor used njRAT to create additional malware such as UDP Rat, WebBrowserPassView that collects and shows account credentials saved in various web browsers, and Infostealer which siphons account credentials from the Chrome web browser.
UDP Rat is a DDoS Bot that supports UDP Flooding attacks and is the same type as the one covered in previous blog posts.
The UDP Rat malware used in the attacks are divided into two categories depending on the PDB information.
- PDB Info 1: D:\wkfy\Machos Sharing2\Machos Sharing2[Data] Special\Rare Source[USER] UDP botnet src\layer4botnet ourse\Client\x64\Debug\Client.pdb
- PDB Info 2: C:\Users\jk\Desktop[USER] UDP botnet src\layer4botnet sourse\Client\x64\Debug\Client.pdb
Instead of the latest version of WebBrowserPassView, a past version that supports the “/stext” argument was used. Unlike the latest version that only supports the GUI version when showing the extracted account information, the past WebBrowserPassView version which supports the “/stext” argument can be executed in a command line without the user noticing to create a file of the collected account credentials. The created file containing the account credentials can be siphoned by the threat actor by using RAT malware. Accordingly, the past version of WebBrowserPassView is being used by various malware including HawkEye.
While it uses WebBrowserPassView, the operator also distributed other additional account-stealing malware. This malware collects only the account credentials from the Chrome web browser, and the collected credentials are stolen via Discord.
If the Chrome web browser is currently running, it force-closes it and finds the account credentials saved in the settings file before decrypting them. Afterwards, it uses the Discord WebHook to steal this information. Using the WebHook API allows the malware to send the data and notifications to a specific Discord server. In other words, the malware attaches the compressed file of the stolen information via the following WebHook URL to request POST, and the attacker can receive the stolen information and notification in the Discord server.
HackHound IRC Bot
Lastly, the HackHound IRC Bot is malware created by njRAT. The HackHound IRC Bot uses the IRC protocol as a C&C server to execute the commands sent by the threat actor. Aside from its basic features, the HackHound IRC Bot mainly supports DDoS attack-related features such as downloading or updating additional malware, as shown below.
- File download
- DDoS attack
…. 3.1. UDP Flood
…. 3.2. HTTP Get Flood
…. 3.3. HTTP POST Flood
…. 3.4. ConDis Flood
…. 3.5. HTTP Torhammer Flood
…. 3.6. HTTP Hulk Flood
When the HH IRC Bot is executed for the first time, it undergoes initialization after reading the settings data saved in the resources. The first item is the IRC server address which acts as the C&C server, and the next items are the C&C server’s port number and channel name. The “test” string included in the settings is the name of the Run key which enables execution after a reboot, and the “test.exe” string is the name for itself to be changed to when it is copied to the %APPDATA% path upon initial execution.
While currently inaccessible, after connecting to the C&C server, the HH IRC Bot could execute commands (such as downloading, updating, and performing DDoS attacks) sent by the threat operator. The implemented DDoS attack routines are the same as those described in the hacking forum. For reference, most DDoS attacks including Tor’s Hammer and Hulk are well-known, and the ConDis attack is likely to mean Connection/Disconnection. Thus, it is a DDoS attack that repeatedly connects to and disconnects from the target.
As the malware is being distributed actively via Korean file-sharing websites such as webhards, users need to take caution. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended that users download programs from the official websites.
– Trojan/Win.Korat.C5290614 (2022.11.04.00)
– Backdoor/Win.NjRat.C5290641 (2022.11.04.01)
– Backdoor/Win.NJRat.C5290642 (2022.11.04.01)
– Backdoor/Win.NJRat.C5290643 (2022.11.04.01)
– Trojan/Win.Wacatac.C5290069 (2022.11.02.03)
– Infostealer/Win.Agent.C5290619 (2022.11.04.00)
– HackTool/Win.WebBrowserPassView.R347116 (2021.06.06.01)
– Backdoor/Win.UDPRat.R532714 (2022.11.04.00)
– Backdoor/Win.UDPRat.R532715 (2022.11.04.00)
– Trojan/Win.Bladabindi.C5290462 (2022.11.03.02)
– Backdoor/Win.IRCBot.C5290616 (2022.11.04.00)
– Trojan/Win.Bladabindi.C5290466 (2022.11.03.02)
– Trojan/Win.Agent.C5290070 (2022.11.02.03)
– Trojan/Win.Generic.R452668 (2021.11.24.01)
– 1287b9c05c8f73fcdbe5620e5717fe75 : njRAT (Distributed by being uploaded to webhards)
– a1c8e2bebae1afbe0726060defe38601 : njRAT (Distributed by being uploaded to webhards)
– 10d33eb390e6d81e805f4b38daa4db40 : njRAT (Distributed by being uploaded to webhards)
– ffb201e6d38beabb33adddba8dccfc5a : njRAT
– 2d05a3c8a38fc57494bf765a4715cede : njRAT
– ffb201e6d38beabb33adddba8dccfc5a : njRAT
– 21f40d9efa89374a8cabbe85076d0b17 : Stealer
– 053778713819beab3df309df472787cd : WebBrowserPassView
– 8fb255cf2bbc51c90478b81f2e3ce058 : UDP Rat
– 37694d53979faf4b74328736d559f831 : UDP Rat
– 1098c0adc0749c09edef3ed2d3b287cb : UDP Rat
– 00c4c68847196cd4c48c67fd1f8156cd : UDP Rat
– c6018d13e5f72dde859ffc77f175502a : UDP Rat
– 17f1e7ea6fb9bed97c16cbd2746ca3ff : UDP Rat
– d092702766c11b2d021ec1d448772dd2 : UDP Rat
– 33134892bc0db2246b3ae2e23f3d0102 : HackHound IRC Bot
– ed60830ce5bd7ba29d6f50a927a7d80b : HackHound IRC Bot
– 12ed54ef87ef751cecb27534edf66682 : HackHound IRC Bot
– 674360905cbf8a1817c6a5767e468526 : HackHound IRC Bot
– 035f90ca20ece063578e4df9c6f23ff4 : HackHound IRC Bot
C&C and Download URL
– minho128.kro[.]kr:1 – njRAT
– minho128.kro[.]kr:80 – UDP Rat
– minho128.kro[.]kr:443 – njRAT, UDP Rat
– minho128.kro[.]kr:4433 – UDP Rat
– minho128.kro[.]kr:7860 – UDP Rat
– minho128.kro[.]kr:6667 – HackHound IRC Bot
– hxxps://discord[.]com/api/webhooks/984735992755933194/zG_rKOa35RSplPSCDeMstvwHH55yLuVLJpSjVIpNIUEwElCHcEuR_jym9Z6oevDhtuG- – Stealer
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.