UDP RAT Malware Being Distributed via Webhards

While monitoring the distribution source of malware in Korea, the ASEC analysis team found that UDP RAT malware disguised as an adult game is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea.

Attackers normally use easily obtainable malware such as njRAT and UDP RAT and disguise them as normal programs such as games or adult content for distribution. Similar cases were introduced in the previous ASEC blogs multiple times:

– njRAT Being Distributed through Webhards and Torrents
– njRAT Malware Distributed via Major Korean Webhard

Malware types introduced in the posts above are still being found, and DDoS malware such as Simple UDP RAT is usually used instead of njRAT. As shown in the figure below, the download page of the webhard that distributes a compressed file containing malware is disguised as an adult game.

The attacker uses few other compressed files other than the post above to distribute the malware. Note that the games differ but the malware inside the compressed files is the same as what will be discussed below.

The downloaded compressed zip file has the following files, and the user would run the “Game..exe” file to play the game.

Figure 1. Malware disguised as Game..exe file

However, “Game..exe” is not a game program launcher, but a launcher malware that runs a different malware. It runs the stick.dat malware file that exists in the Dat folder with the routine below, and after copying the Ob.dat file as Game.exe, it runs the file.

Figure 2. Routine for running the malware in Dat folder

The file that is copied as Game.exe and run is an actual game program launcher, thus the user would think that the game has run normally.

Once the process above is complete, the “Game..exe” file becomes hidden, therefore, the user then uses Game.exe, which is the copied game program launcher. Apart from that, the stick.dat file that was run via the launcher malware is the ALZIP SFX program, and it creates two malware “Uninstall.exe” and “op.gg.setup.apk” in the C:\Program Files\4.0389 folder.

Figure 3. Dropped malware

After stick.dat creates the files, it runs Uninstall.exe. Uninstall.exe is another launcher malware that runs op.gg.setup.apk. Op.gg.setup.apk is a downloader malware that downloads the Op.gg.exe file from the following address in the same directory and runs it.

Download URL: hxxps://cdn.discordapp[.]com/attachments/872548745902948365/889723452569845830/Op.gg.exe

Op.gg.exe registers itself to Run key, runs the normal program “C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe”, and injects the original malware. The original malware injected to SMSvcHost.exe is a downloader malware that periodically connects to the C&C server to obtain the address of additional malware to be downloaded.

C&C URL: hxxp://ondisk.kibot[.]pw:8080/links/UserTwo

Figure 4. Connecting to the C&C server to obtain additional malware download address

If the additional malware address is obtained from the C&C server, it downloads additional malware in C:\Steam_Kr\ folder and runs it as shown below.

Figure 5. Routine for writing the downloaded file in Steam_Kr directory and running it

As the team has not currently obtained the download URL from the C&C server, it could not check what the malware does after. However, numerous malware that is downloaded by such malware can be found in AhnLab’s ASD infrastructure. Most of the downloaded malware is open-source malware UDP Rat that can perform UDP Flood DdoS attacks.

Figure 6. Simple UDP Rat

The installed UDP Rat malware is usually packed with packers such as Themida to avoid detection, but some samples are not packed.

Figure 7. UDP Rat that is not packed

C&C address of Simple UDP Rat: 37.0.11[.]171:49367

As shown in the examples above, the malware is being distributed actively via file sharing websites such as webhards. As such, caution is advised when approaching executables downloaded from a file-sharing website. We recommend users to download products from the official websites of developers.

[File Detection]
– Game..exe : Trojan/Win.Launcher.C4665771 (2021.10.01.01)
– stick.dat : Dropper/Win.Korat.C4662749 (2021.10.01.00)
– op.gg.setup.apk : Dropper/Win.Korat.R443431 (2021.10.01.00)
– Uninstall.exe : Trojan/Win.Launcher.C4665770 (2021.10.01.01)
– op.gg.exe : Downloader/Win.Korat.R443432 (2021.10.01.00)
– UDP RAT : Backdoor/Win.UDPRat.R443002 (2021.09.28.01)

[IOC]
Files

– Game..exe : 00357575f2789c91e7afc7d8e1c25d40
– stick.dat : 73052c60e447d60497c4567a5bc1885e
– op.gg.setup.apk : 1b1c9751f5aaf2a1c5afc15d6b82e90b
– Uninstall.exe : 17930cd5cbcf7d12856c81333d4b4713
– op.gg.exe : ee228a1b9d71fc6381e15e9364bf8fb9
– UDP RAT : d858cdf1d85128cc337305b644fe565f

Download URLs
– hxxps://cdn.discordapp[.]com/attachments/872548745902948365/889723452569845830/Op.gg.exe

C&C Servers
– Downloader malware C&C: hxxp://ondisk.kibot[.]pw:8080/links/UserTwo
– UDP Rat C&C : 37.0.11[.]171:49367

TAGGED AS:DDOS, WEBHARD, UDPRAT

The post UDP RAT Malware Being Distributed via Webhards appeared first on ASEC BLOG.

Article Link: UDP RAT Malware Being Distributed via Webhards - ASEC BLOG