In ESET discovered a backdoor that attacks Torrent’s users: How to stay safe?

by Brendan Smith
July 9, 2019

International antivirus company ESET has detected malicious activity directed at users of South Korean and Chinese torrent sites.

The attackers distribute the backdoor GoBot2/GoBotKR that is masked under pirated versions of movies, games and TV shows.

The GoBotKR malware is a modified version of the GoBot2 backdoor, the source code of which is available since March 2017. A malware infection works as follows: the user downloads a torrent file of a movie or series, and then sees a set of innocuous programs and extensions, including files with PMA extensions (“installer for codec”), MP4 and LNK.

Zuzana Hromcová

Zuzana Hromcová

“Attackers are trying to deceive users by “launching” torrents with malicious programs with the names of familiar files, extensions and shortcuts”, – said Eset expert Zuzana Hromcová.

The malware is launched after clicking on the LNK file. After installing GoBotKR, the system information collection begins: data on network configuration, operating system, processor and installed anti-virus programs. This information is sent to the command C&C server located in South Korea.

“The information sent to the C&C server helps attackers to determine which computers are suitable for future attacks”, – said Zuzana Hromcová.

The list of commands that a backdoor is capable of is diverse: distributing torrents via BitTorrent and uTorrent, organizing DDoS attacks, changing the desktop background, copying the backdoor to cloud storage folders (Dropbox, OneDrive, Google Drive) or on removable media, running a proxy or HTTP server, changing firewall settings, enabling or disabling Task Manager, etc.

  • Backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, a product, or an embedded device.

ESET experts believe that the main purpose of attackers is to unite the infected computers into a botnet to carry out DDoS attacks.

The malware campaign is aimed mainly at South Koreans (80% of all backdoor infections), China (10%) and Taiwan (5%).

How to stay safe

  • If you suspect you might have fallen victim to this malware campaign, we recommend you scan your computer with a reliable security solution.
  • Pirated content distributed via torrent sites is a well-known vector for spreading all kinds of malware. To steer clear of similar attacks in the future, stick to official sources when downloading content.
  • Before launching downloaded files, pay attention to whether their extensions match the intended filetypes. To keep your computer protected, we advise you to patch regularly and use reputable security software.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending