International antivirus company ESET has detected malicious activity directed at users of South Korean and Chinese torrent sites.
The attackers distribute the backdoor GoBot2/GoBotKR that is masked under pirated versions of movies, games and TV shows.The GoBotKR malware is a modified version of the GoBot2 backdoor, the source code of which is available since March 2017. A malware infection works as follows: the user downloads a torrent file of a movie or series, and then sees a set of innocuous programs and extensions, including files with PMA extensions (“installer for codec”), MP4 and LNK.
“Attackers are trying to deceive users by “launching” torrents with malicious programs with the names of familiar files, extensions and shortcuts”, – said Eset expert Zuzana Hromcová.
The malware is launched after clicking on the LNK file. After installing GoBotKR, the system information collection begins: data on network configuration, operating system, processor and installed anti-virus programs. This information is sent to the command C&C server located in South Korea.
“The information sent to the C&C server helps attackers to determine which computers are suitable for future attacks”, – said Zuzana Hromcová.
The list of commands that a backdoor is capable of is diverse: distributing torrents via BitTorrent and uTorrent, organizing DDoS attacks, changing the desktop background, copying the backdoor to cloud storage folders (Dropbox, OneDrive, Google Drive) or on removable media, running a proxy or HTTP server, changing firewall settings, enabling or disabling Task Manager, etc.
- Backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, a product, or an embedded device.
ESET experts believe that the main purpose of attackers is to unite the infected computers into a botnet to carry out DDoS attacks.
The malware campaign is aimed mainly at South Koreans (80% of all backdoor infections), China (10%) and Taiwan (5%).
How to stay safe
- If you suspect you might have fallen victim to this malware campaign, we recommend you scan your computer with a reliable security solution.
- Pirated content distributed via torrent sites is a well-known vector for spreading all kinds of malware. To steer clear of similar attacks in the future, stick to official sources when downloading content.
- Before launching downloaded files, pay attention to whether their extensions match the intended filetypes. To keep your computer protected, we advise you to patch regularly and use reputable security software.