Cybercriminals often borrow code from one another, and they are fond of open-source projects especially. It would appear that the GoBotKR Trojan is based on the GoBot2 backdoor, which is a threat whose source code was made available to the public. The authors of the GoBotKR threat have adopted a lot of the code behind the GoBot2 backdoor and modified it to their liking. The cybercrooks behind the GoBotKR Trojan are mainly focusing on South Korea (hence the ‘KR’ in the name) with over 80% of compromised systems located there. However, there have been campaigns spotted in other East Asian locations such as Taiwan and China. It is speculated that the goal of the GoBotKR is to infect as many computers as possible and create a botnet, which would then be used for potential DDoS (Distributed-Denial-of-Service) attacks.
Pirated Torrents Spread the GoBotKR
The creators of the GoBotKR are propagating this Trojan via torrents. Since the authors of the GoBotKR are targeting South Korea mainly, they have opted to insert their threatening payload into torrents of popular Korean movies and TV shows. There have been occasional cases of video game torrents being used to spread the GoBotKR Trojan too. This is why pirating content is never a smart move.
To avoid suspicion, the infected torrents contained the media that the user was trying to download; however, alongside this, there was a ‘.PMA’ file and a ‘.LNK’ file. To appear more legitimate, the ‘.PMA’ file carried the name of a widely known codec pack while the ‘.LNK’ file had copied the name and icon of the video file the user downloaded. Instead of opening a legitimate '.PMA' file that contains a codec pack, the recipients will end up loading the GoBotKR Trojan. If the user attempts to open the ‘LNK’ file, it will trigger the ‘.PMA’ file and will start the attack. It also will open the video file to, again, avoid suspicion.
GoBotKR Trojan’s Capabilities
Once the GoBotKR infiltrates a system, it will begin siphoning information about it to attackers. The data collected regards the hardware and software of the compromised machine. Then, a profile of the victim’s system will be built and added to the list of other infiltrated machines.
However, the botnet of the attackers is not built only to launch DDoS campaigns. It also is capable of:
- Updating itself.
- Loading Web pages.
- Changing the Internet Explorer homepage.
- Executing files.
- Executing commands.
- Spreading the GoBotKR Trojan to portable storage devices.
- Spreading the GoBotKR to cloud services.
- Controlling the currently running processes.
- Disabling various Windows features such as Task Manager, Command Prompt and Registry Editor.
- Reconfiguring the Windows Firewall to unblock specific programs and ports.
- Removing itself.
It is always a gamble when one decides to get pirated content. More often than not, it is not worth the risk so that we will advise you strongly against downloading illicit copyrighted content. It also is smart to download and install a reputable anti-virus suite to keep your system safe from threats like the GoBotKR.