Malicious Torrent GoBotKR Targets South Korean TV

ESET researchers detected an ongoing malicious campaign by distributing backdoor torrents, using Korean TV content, and sometimes games like bait. The back door is spreading through torrent sites in South Korea and China. The Malware allows the attacker to connect a compromised computer to the botnet and remotely control it.

The malware concerned is a modified version of a publicly available backdoor named GoBot2; the modifications to the source code are mainly South Korea-specific evasion techniques. Due to the campaign’s clear focus on South Korea, ESET has dubbed this Win64/GoBot2 variant GoBotKR. With 80% of all detections, South Korea is the most affected, followed by China (10%) and Taiwan (5%). According to ESET telemetry, GoBotKR has been active since 2018.

According to researchers, GoBotKR has been active since 2018. The malicious software is a modified version of a publicly accessible backdoor called GoBot2. The modification of the source code is mainly a special evasion technique in South Korea. Due to the clearly defined goal of the campaign in South Korea. With 80% of all detections, South Korea is the most affected, followed by China and Taiwan.

ESET Researcher Zuzana Hromcova said: “The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions, and icons,” says, who analyzed the malware. “By directly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file is often hidden in a different directory, and users might first encounter the malicious file mimicking it.”

The malware is technically not too complicated. However, the actors behind GoBotKR build a network of robots capable of handling DDoS attacks of various kinds. Therefore, after execution, GoBotKR first collects a list of installed antivirus software on the infiltrated computers, and also other system information like; network configuration, operating system version information, and CPU and GPU versions.

Hromcova further elaborates, “This information is sent to a C&C server, which helps the attackers determine which bots should be used in the respective attacks. All C&C servers that we extracted from the analyzed malware samples are hosted in South Korea and registered by the same person.”

The bot has the capability to misuse compromised computers and enables botnet operators to control or extend botnets and avoid detection. Among other things, supported commands can be used to target DDoS attacks on specific victims, it can copy malware to removable connected media or public folders for cloud storage services (Dropbox, OneDrive, Google Drive); and create malicious file streams to further develop the bot network.

The very interesting thing about GoBotKR is its anti-detection techniques, which are extended to South Korea. In particular, malicious programs analyze processes running on vulnerable systems to detect certain antivirus products, including products of South Korean security companies. If a product is detected, it will shut down by itself. Other mitigation methods detect system analysis tools and use the same security company in South Korea. In the third method of escape, the attacker abusively used a legitimate South Korean online platform to determine the victim’s IP address. “In general, we are seeing changes allowing hackers to adapt their malicious programs to a specific audience because they are making extra efforts not to be detected in their campaigns.