International antivirus company ESET has detected malicious activity directed at users of South Korean and Chinese torrent sites.
The attackers distribute the backdoor GoBot2/GoBotKR that is masked under pirated versions of movies, games and TV shows.The GoBotKR malware is a modified version of the GoBot2 backdoor, the source code of which is available since March 2017. A malware infection works as follows: the user downloads a torrent file of a movie or series, and then sees a set of innocuous programs and extensions, including files with PMA extensions (“installer for codec”), MP4 and LNK.
![Zuzana Hromcová](https://howtofix.guide/wp-content/uploads/2019/07/Zuzana-Hromcová-300x300.jpg)
Zuzana Hromcová
“Attackers are trying to deceive users by “launching” torrents with malicious programs with the names of familiar files, extensions and shortcuts”, – said Eset expert Zuzana Hromcová.
The malware is launched after clicking on the LNK file. After installing GoBotKR, the system information collection begins: data on network configuration, operating system, processor and installed anti-virus programs. This information is sent to the command C&C server located in South Korea.
“The information sent to the C&C server helps attackers to determine which computers are suitable for future attacks”, – said Zuzana Hromcová.
The list of commands that a backdoor is capable of is diverse: distributing torrents via BitTorrent and uTorrent, organizing DDoS attacks, changing the desktop background, copying the backdoor to cloud storage folders (Dropbox, OneDrive, Google Drive) or on removable media, running a proxy or HTTP server, changing firewall settings, enabling or disabling Task Manager, etc.
- Backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, a product, or an embedded device.
ESET experts believe that the main purpose of attackers is to unite the infected computers into a botnet to carry out DDoS attacks.
The malware campaign is aimed mainly at South Koreans (80% of all backdoor infections), China (10%) and Taiwan (5%).
How to stay safe
- If you suspect you might have fallen victim to this malware campaign, we recommend you scan your computer with a reliable security solution.
- Pirated content distributed via torrent sites is a well-known vector for spreading all kinds of malware. To steer clear of similar attacks in the future, stick to official sources when downloading content.
- Before launching downloaded files, pay attention to whether their extensions match the intended filetypes. To keep your computer protected, we advise you to patch regularly and use reputable security software.