Threat Research

DDoS IRC Bot Malware (GoLang) Being Distributed via Webhards – ASEC BLOG

Securonix

Korean security researchers found DDoS IRC Bot strains masquerading as adult games, distributed via webhards, using a GoLang-based downloader alongside UDP Rat and Simple-IRC-Botnet. The malware installs through a downloader, persists via a scheduled task, injects into a legitimate process, and receives DDoS commands over IRC for various attack types. #Simple-IRC-Botnet #GoLang #UDP_Rat #Korat #Webhard

Keypoints

  • The campaigns distribute malware disguised as adult games uploaded to Korean webhards.
  • The downloader was previously built in C#, but newer samples use GoLang.
  • A Game_Open.exe launcher runs another malware component by renaming and executing scall.dll and an index executable.
  • The downloader creates EdmGen.exe and registers it in Task Scheduler to run on startup, then injects malware into vbc.exe.
  • GoLang-based malware includes both UDP Rat and Simple-IRC-Botnet, enabling various DDoS attacks via IRC.
  • The GoLang IRC bot connects to listed IRC servers and channels to receive DDoS commands (e.g., Slowloris, GoldenEye, Hulk).

MITRE Techniques

  • [T1036] Masquerading – Malware distributed as game files and presented as legitimate Game_Open.exe; “Malware disguised as Game_Open.exe file.”
  • [T1105] Ingress Tool Transfer – Downloader retrieves and installs additional malware from a remote URL, e.g., “Download URL for Additional Malware: hxxp://node.kibot[.]pw:8880/links/01-13”.
  • [T1055] Process Injection – EdmGen.exe injects malware into the normal program (vbc.exe) to execute the downloader.
  • [T1053.005] Scheduled Task – EdmGen.exe is registered to run on startup via SCHTASKS, e.g., “C:WindowsSystem32cmd.exe /c SCHTASKS /CREATE /SC ONSTART /NP /TN ‘Windows Google’ /TR ‘C:Program FilesEdmGen.exe’.”
  • [T1095] Non-Application Layer Protocol – Golang DDoS IRC Bot uses IRC for C2 and receives commands to perform DDoS attacks. “connects to a particular IRC server … enters the attacker’s channel” and “can perform DDoS attacks on a target if the attacker sends commands from the channel.”

Indicators of Compromise

  • [File Hash] Game Launcher – affbad0bedccbf1812599fbce847d917, b21ad73be72280ae30d8c5556824409e
  • [File Hash] Launcher – b621005a147ef842fbc7198c8431724c, ba43e4c84da7600881ed5ccac070e001
  • [File Hash] Downloader – 42a344fbad7a56e76c83013c677330ac, 6b029fc7a0f480b7dd6158bba680e49b
  • [File Hash] UDP Rat – bff341b0c95eda801429a4b5c321f464, 0fd264b12ea39e39da7807a117718429
  • [File Hash] Golang DDoS IRC Bot – 7f3bd23af53c52b3e84255d7a3232111, 00b9bf730dd99f43289eac1c67578852
  • [IP Address] IRC/C2 – 210.121.222[.]32:6667, 157.230.106[.]25:6667
  • [Domain/URL] C2 Domains – kibot[.]pw, organic.kibot[.]pw, node.kibot[.]pw
  • [File Name] Game_Open.exe, EdmGen.exe, scall.dll

Read more: https://asec.ahnlab.com/en/30755/