5/6/2023 0 Comments Bittorrent live api![]() ![]() ![]() The name “starcodec” mimics the legitimate Korean codec pack Starcodec. We have also seen this technique using games as a lure, and with filenames and extensions relevant to gaming.ĭuring our investigation, we have seen the following filenames being used for the malicious executables: starcodec.pma, WedCodec.pma and Codec.pma (movie/TV show disguise) and leak.dll (game disguise). Renaming the malicious EXE file to a PMA file is also likely done to prevent raising suspicion of potential victims. However, it also opens the intended file (in this case a video), giving victims little reason to suspect something has gone wrong. Further increasing the chance of users falling for the lure is the fact that the extension of the LNK file is normally not displayed when viewed in Windows Explorer, as seen in the second screenshot in Figure 1, in the file with the Korean name.Ĭlicking on the deceptive LNK file executes the malware. The catch here is that the MP4 file is often hidden in a different directory, and users might encounter the malicious LNK file mimicking it first. Contents of some torrents delivering the malware (the MP4 video is not displayed on the second screenshot) the malware is executed by an LNK file with a deceptive filename and iconĭirectly opening the intended MP4 file will not result in any malicious action. ![]() A malicious LNK file with a filename and icon mimicking the expected video fileįigure 1 shows examples of torrent contents from this malicious campaign.įigure 1.A malicious executable masked as a PMA archive file with a filename mimicking various codec installers.Our analysis shows that the torrents using a movie/TV show disguise generally contain the following types of files: The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions and icons. GoBotKR has been spreading via South Korean and Chinese torrent sites, masquerading as Korean movies and TV shows, as well as some games. The detections are in the hundreds, with South Korea being the most affected (80%), followed by China (10%) and Taiwan (5%). Due to the campaign’s clear focus on South Korea, we have dubbed this Win64/GoBot2 variant GoBotKR.Īccording to ESET telemetry, GoBotKR has been active since March 2018. The modifications to the source code are mainly South Korea-specific evasion techniques, which are described in detail in this blogpost. The malware is a modified version of a publicly available backdoor named GoBot2. The malware allows the attacker to connect the compromised computer to a botnet and control it remotely. ESET researchers have discovered a malicious campaign distributing a backdoor via torrents, with Korean TV content used as a lureįans of Korean TV should be on the lookout for an ongoing campaign spreading malware via torrent sites, using South Korean movies and TV shows as a guise. ![]()
0 Comments
Leave a Reply. |