An ongoing campaign targeting South Korea dupes users into downloading adult games infected with remote access trojans (RATs). The fiels are shared via webhards and torrents on WebHard, an online storage service popular in Korea. Webhards are often unregulated spaces, where anyone can upload and share anything they want.
According to ASEC’s researchers, attackers are now distributing a UDP RAT that’s disguised as a ZIP file that contains an adult game. The file contains a malicious launcher game.exe. The attackers are using various types of easily obtainable malware, such as njRAT and UDP RAT, wrap them in a game or program package and infect their victims.
Users who end up at webhards are directed by attackers through Discord or social media platforms.
After executing Game.exe, it drops a Themida-loaded RAT that disguises the game’s actual contents. It then creates a new Game.EXE file that will run a benign game to confuse the victim.
Malware executables are often dropped into the C:\Program Files\4.0389 folder. Malware fetchers then connect to the attackers’ C&C and download additional malicious payloads.
ASEC was not able to sample these additional payloads.
njRAT is a type of malware that can steal sensitive information from victims, such as account credentials and keystrokes. These tools are usually capable of capturing screenshots from a compromised device. They also can modify the Windows registry for persistence.
This variant adds a Registry key to ensure a continuous connection to the C2 server. It allows the attackers to drop more payloads.
These actors have been using various tricks to convince others to download the njRATs with torrents and file hosting services being a preferred method.
ASEC warned about this issue back in June, when cybercriminals distributed a repackaged version of a well-known game as Lost Ruins. The package could run both the game and the virus simultaneously, making it hard to detect the infection.