GoBotKR
GoBotKR is a backdoor Trojan that uses most of the functionality of the public GoBot2 source code. Although its threat actor focuses on DDoS activity, GoBotKR is capable of other attacks, including executing files or system commands without your consent, spreading itself through multiple mechanisms, and disabling security tools. Users should keep anti-malware products on hand for deleting GoBotKR and scan any Korea-related torrents for its installation exploits.
This Trojan's Going Korean
Attacks targeting the South Korean demographic very explicitly are using a new variant of a 2017-dated Trojan from GitHub. GoBotKR is a direct derivative of GoBot2, a backdoor Trojan with botnet capabilities that connect infected computers into a controllable network for attacks like Distributed-Denial-of-Service. Both the infection techniques for GoBotKR's campaign and its internal updates are unusually niche, with the threat actor's showing some familiarity with South Korea's media and AV industry.
Although it also spreads through removable media like a worm, GoBotKR's first infection strategy uses torrents. It seeds itself and tricks victims into opening a corrupted LNK file that's packed inside, along with the actual content. This shortcut links to the Trojan's installer, which is a fake codec package. Disguises for GoBotKR's torrents include Korean media, such as television shows and gaming content.
However, malware experts since confirmed that GoBotKR's Korea-specific targeting mechanisms persist into the installation and persistence methods of the backdoor Trojan. Its author is reconfiguring some of the features from the original GoBot2 for avoiding South Koren-based AV and analysis tools and adds two others: an AV-seeking process scanner and a text string-based analysis software detector. These enhancements make GoBotKR very well suited for the South Korean targets that make up an overwhelming majority of its infections, although there are some incidents involving other nations in Asia (such as China).
The Generic Dangers of a Nationality-Specific Trojan
Readers who know of any of the other botnets, such as the Amnesia Botnet or the GoBrut Botnet, will find few surprises with GoBotKR's payload. It can launch DDoS attacks that use the infected system's resources for simulating traffic and crashing others' servers, which, malware experts estimate, is the motive for its summer campaign. However, GoBotKR is capable of other functions with more generically-negative results:
- Executing commands, scripts or files.
- Self-termination or uninstallation (esp. for evading analysis).
- Rebooting or shutting down the computer.
- Changing the desktop's wallpaper.
- Disabling tools like the Registry Editor, the Task Manager or the Command Prompt.
- Closing or hiding memory processes.
- Running local servers.
The threat actor can act as a remote administrator to the machine and, if he wishes, lock out the local user or install other software. However, compatible anti-malware services should either delete GoBotKR automatically or prevent its installation, due to the anti-analysis safeguards.
GoBotKR capitalizes on users who would rather not pay for something they're downloading, regardless of intellectual property concerns. As is all too typical, however, the victims end up paying a different fee that comes out of their computer's wellbeing.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.