The ASEC researchers have discovered a new malicious campaign targeting South Korean users. Threat actors are spreading easily obtainable malware such as njRAT and UDP RAT via Webhards and torrents to disguise as normal programs such as games or adult content for distribution.
According to ASEC analysts, WebHards is a popular online storage service in Korea, preferred mainly for the convenience of direct downloads. However, threat actors are using Webhards to distribute a UDP RAT that is disguised as a ZIP file containing an adult game. Users who end up at webhards are directed by attackers through Discord or social media platforms.
The downloaded compressed zip file has various files but then the user would need to open the “Game..exe” file to play the game. Upon execution, the “Game..exe” file becomes hidden, therefore, the user then uses Game.exe, which is the copied game program launcher.
Apart from that, the stick.dat file that runs via launcher malware is the ALZIP SFX program, and it creates two malware “Uninstall.exe” and “op.gg.setup.apk” in the C:\Program Files\4.0389 folder.
After stick.dat creates the files, it executes Uninstall.exe. Uninstall.exe is another launcher malware that runs op.gg.setup.apk. Op.gg.setup.apk is a downloader malware that downloads the Op.gg.exe file from the following address in the same directory and runs it.
njRAT is a type of malware that can steal private information from victims, such as account credentials and keystrokes. The malware is also capable of capturing screenshots from a compromised device and can modify the Windows registry for persistence. This variant adds a Registry key to ensure a continuous connection to the C2 server. It allows the attackers to drop more payloads.
Threat actors have been employing various tricks to convince users to download the njRATs with torrents and file hosting services being a preferred method. Earlier this year in June, ASEC warned about this issue, when threat actors propagated a repackaged version of a well-known game as Lost Ruins. The package could run both the game and the virus simultaneously, making it hard to detect the infection.
The researchers have advised users to remain vigilant while approaching executables downloaded from a file-sharing website and also to download products from the official websites of developers.
