AhnLab’s Security Emergency-response Center (ASEC) researchers reported that ,” A GoLang-programmed IRC (Internet Relay Chat) bot strain is being used to launch distributed denial-of-service (DDoS) attacks against users in Korea. The malware is being distributed under the guise of adult games.
In addition, the DDoS malware was installed using a downloader and a UDP RAT.”
Webhards are platforms commonly used for malware distribution in Korea, where njRAT and UDP Rat were previously distributed. Webhards are being used to spread UDP RAT malware. One difference is that the previous downloader malware was written in C#, whereas GoLang is now used. Along with UDP Rat, the open-source Simple-IRC-Botnet (DDoS IRC Bot malware developed with GoLang) was used.
The adult games used for attacks contain the following path name. This means that they were distributed through the compressed files with the following names.
– [19 Korean version] Naughty Mage’s EXXXXX Life
– [19 Korean version] The Reason She Became a Slave
– [19 Korean version] Refraining of Heavenly Walk
– [19 Korean version] Exchange Diary of Violation
– [19 Korean version] Girl From Tea Ceremony Club
– [19 Korean version] Curse of Lilia
– [19 Korean version] Academy with Magical Girls
– [19 Korean version] Monster Fight
– [19 Korean version] Dreamy Lilium
– [19 Korean version] Enraged Department Manager
– [19 Korean version] Fancy Days of Sayuri
– [19 Korean version] Sleif Corporation
– [19 Korean version] Country Girl Exposure
– [19 Korean version] Sylvia and Master of Medicine
– [19 Korean version] Assassin Asca
– [19 Korean version] How to Reform Your Girlfriend
– [19 Korean version] Creating Utopia with Subjugation Skill
– [19 Korean version] Uriel and Belial
– [19 Korean version] The Case of Chairperson Kana
– [19 Korean version] Princess Round
– [19 Korean version] Flora and the Root of the World Tree
– [19 Korean version] Midnight Exposure
– [19 Korean version] Modern Day Elf
– [19 Korean version] Research Data of Homunculus.
The malware can access the C&C server on a regular basis, as shown below, to obtain the URL of malware that will be downloaded to install additional malware.
- Download URL for Additional Malware: hxxp://node.kibot[.]pw:8880/links/01-13
- Creation Path of Downloaded Malware: C:\Down\discord_[random characters]\[malware name]
This type of additional malware installed was UDP Rat DDoS. However, in this case, there was also Simple-IRC-Botnet, which was created with GoLang.
According to the researchers, GoLang’s low development difficulty and cross-platform support have made the programming language a popular choice for threat actors. Unlike UDP Rat, which could only support UDP Flooding attacks, it can also support Slowloris, Goldeneye, and Hulk DDoS.”
It is also a type of DDoS Bot malware, but it communicates with the C&C server via IRC protocols. Unlike UDP Rat, which could only support UDP Flooding attacks, it can also support Slowris, Goldeneye, and Hulk DDoS.
The malware-laced games are uploaded to webhards, which is a web hard drive or a remote file hosting service, in the form of compressed ZIP archives that, when opened, contain an executable (“Game Open.exe”) that is orchestrated to run a malware payload in addition to launching the actual game.
Finally the researchers concluded that,” The malware is being actively distributed via file sharing websites such as Korean webhards. As a result, exercise caution when dealing with executables obtained from a file-sharing website. It is recommended that users download products from the developers’ official websites.“
Indicator of Compromise
– Game Launcher
– UDP Rat
– Golang DDoS IRC Bot
– Downloader Malware
– UDP Rat