malware skull

An ongoing malware distribution campaign targeting South Korea is disguising RATs (remote access trojans) as an adult game shared via webhards and torrents.

The attackers are using easily obtainable malware such as njRAT and UDP RAT, wrap them in a package that appears like a game or other program, and then upload them on webhards.

WebHard is a popular online storage service in Korea, preferred mainly for the convenience of direct downloads.

Users end up at webhards through Discord or social media posts, but popular storage repositories enjoy a steady stream of daily visitors due to the content that is shared.

As reported by analysts at ASEC, threat actors are now using webhards to distribute a UDP RAT that is disguised as ZIP file containing an adult game.

When extracted, the archive contains a ‘game.exe’ launcher, which is actually the UDP rate malware.

Game.exe in the unpacked folder
Game.exe in the unpacked folder
Source: ASEC

Upon execution, Game.exe drops a Themida-packed RAT and becomes hidden, while it subsequently creates a new Game.exe file that will run the actual game, convincing the victim that all went well.

Malware executables are dropped into the ‘C:Program Files4.0389’ folder, and are malware fetchers that can connect to the C&C and download further malicious payloads.

Dropped malware files
Dropped malware files
Source: ASEC

For this campaign, ASEC was unable to sample any of the additional payloads, so this may be a functionality preserved for future deployment or it’s just intermittently used.

Connecting to the C2 to fetch additional payloads
Connecting to the C2 to fetch additional payloads
Source: ASEC

Malware like njRAT is particularly dangerous as it can steal sensitive information for the threat actors, including account credentials and keystrokes.

These tools are typically capable of capturing screenshots on the compromised device, and they also modify the Windows Registry for persistence.

In this case, the malware adds a Registry key to ensure a periodical connection to the C2 server, keeping the possibility of fetching more payloads open.

Actors have employed various tricks to convince people to download njRATs on their systems, but file hosting services and torrents remain a stable source of trouble.

Webhards are typically unregulated spaces, with no one checking what users upload and share with others on the platform, so whenever you’re pointed to one, be very careful.

ASEC warned about this risk again in June, when actors distributed yet another commodity malware disguised as a platformer game named ‘Lost Ruins’.

That package also had the capacity to run both the game and the malware simultaneously, making it a lot harder to realize the infection.

Source: www.bleepingcomputer.com