| ID | X0027 |
| Type | Backdoor, Bot/Botnet |
| Aliases | None |
| Platforms | Windows |
| Year | 2019 |
| Associated ATT&CK Software | None |
GoBotKR is a modified version of a publicly available backdoor, GoBot2. The modifications to GoBot2 are mainly evasion techniques specific to South Korea. [1]
From [1], “The malware installs two instances of itself on the system. The second instance (watchdog) monitors whether the first instance is still active and reinstalls it if it has been removed from the system.”
| Name | Use |
|---|---|
| Initial Access::Drive-by Compromise (T1189) | GoBotKR has been distributed through torrent file-sharing websites to South Korean victims, using games or Korean movie/TV series as a lure. [1] |
| Persistence::Scheduled Task (T1053) | GoBotKR schedules a task that adds a registry run key to establish malware persistence. [1] |
| Privilege Escalation::Abuse Elevation Control Mechanism::Bypass User Account Control (T1548.002) | GoBotKR attempts to bypass UAC using Registry Hijacking. [1] |
| Defense Evasion::Deobfuscate/Decode Files or Information (T1140) | GoBotKR has used base64 to obfuscate strings, commands and files. [1] |
| Defense Evasion::Indicator Removal (T1070) | GoBotKR removes the Zone identifier from the ADS (Alternate Data Streams) of the file, to conceal the fact the file has been downloaded from the internet. [1] |
| Defense Evasion::Masquerading (T1036) | GoBotKR uses filenames and registry key names associated with legitimate software. [1] |
| Discovery::Software Discovery::Security Software Discovery (T1518.001) | GoBotKR checks for processes associated with security products and debugging tools, and terminates itself if any are detected. It can enumerate installed antivirus software using the wmic command. [1] |
| Discovery::System Information Discovery (T1082) | GoBotKR uses wmic, systeminfo and ver commands to collect information about the system and the installed software. [1] |
| Discovery::System Network Configuration Discovery (T1016) | GoBotKR uses netsh and ipconfig to collect information about the network configuration. It has used Naver and Daum portals to obtain the client IP address. [1] |
| Discovery::System Owner/User Discovery (T1033) | GoBotKR uses whoami to obtain information about the victimized user. It runs tests to determine the privilege level of the compromised user. [1] |
| Discovery::System Time Discovery (T1124) | GoBotKR can obtain the date and time of the compromised system. [1] |
| Lateral Movement::Ingress Tool Transfer (T1105) | GoBotKR attempts to copy itself into public folders of cloud storage services (Google Drive, Dropbox, OneDrive). [1] |
| Lateral Movement::Replication Through Removable Media (T1091) | GoBotKR can drop itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system. [1] |
| Command and Control::Proxy (T1090) | GoBotKR can be used as a proxy server. [1] |
| Command and Control::Data Encoding (T1132) | The communication with the C&C server is Base64 encoded. [1] |
| Command and Control::Ingress Tool Transfer (T1105) | GoBotKR can download additional files and update itself. [1] |
| Command and Control::Application Layer Protocol (T1071) | GoBotKR uses HTTP or HTTPS for C&C. [1] |
| Command and Control::Non-Standard Port (T1571) | GoBotKR uses non-standard ports, such as 6446, 6556 and 7777, for C&C. [1] |
| Name | Use |
|---|---|
| Execution::Command and Scripting Interpreter (E1059) | GoBotKR uses cmd.exe to execute commands. [1] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | GoBotKR installs itself under registry run keys to establish persistence. [1] |
| Defense Evasion::Hidden Files and Directories (F0005) | GoBotKR stores itself in a file with Hidden and System attributes. [1] |
| Defense Evasion::Obfuscated Files or Information (E1027) | GoBotKR uses base64 to obfuscate strings, commands and files. [1] |
| Defense Evasion::Modify Registry (E1112) | GoBotKR can modify registry keys to disable Task Manager, Registry Editor and Command Prompt. [1] |
| Collection::Screen Capture (E1113) | GoBotKR is capable of capturing screenshots. [1] |
| Execution::User Execution (E1204) | GoBotKR makes their malware look like the torrent content that the user intended to download, in order to entice a user to click on it. [1] |
| Command and Control::Ingress Tool Transfer (E1105) | GoBotKR can download additional files and update itself. [1] |
| Discovery::System Information Discovery (E1082) | GoBotKR uses wmic, systeminfo, and ver commands to collect information about the system and the installed software and queries environment variables. [1] [2] |
| Discovery::File and Directory Discovery (E1083) | GoBotKR checks if a file exists. [2] |
| Name | Use |
|---|---|
| Execution::Install Additional Program (B0023) | GoBotKR reinstalls its running instance if it is removed. [1] |
| Anti-Behavioral-Analysis::Sandbox Detection (B0007) | GoBotKR performs several checks on the compromised machine to avoid being emulated or executed in a sandbox. [1] |
| Command and Control::C2 Communication::Receive Data (B0030.002) | GoBotKR receives data from the C2. [1] [2] |
| Impact::Denial of Service (B0033) | GoBotKR has been used to execute endpoint DDoS attacks – for example, TCP Flood or SYN Flood. [1] |
| Impact::Resource Hijacking (B0018) | GoBotKR can use the compromised computer’s network bandwidth to seed torrents or execute DDoS. [1] |
| File System::Copy File (C0045) | GoBotKR copies files. [2] |
| File System::Create Directory (C0046) | GoBotKR creates directories. [2] |
| File System::Delete File (C0047) | GoBotKR deletes files. [2] |
| Operating System::Registry::Query Registry Value (C0036.006) | GoBotKR queries or enumerates registry values. [2] |
| Process::Create Process (C0017) | GoBotKR creates processes on Windows. [2] |
| Process::Create Thread (C0038) | GoBotKR creates threads. [2] |
| Process::Suspend Thread (C0055) | GoBotKR suspends threads. [2] |
| Process::Terminate Process (C0018) | GoBotKR terminates processes. [2] |
SHA256 Hashes
- 492e8ee240492768232b717a60a880f216fd936b6ed9f5b6f67fe83db3bbc7d4
- d4420f7f6fbc361bac02bcd9d994703735b15da80775ee20862db47b59d521d6
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] capa v4.0, analyzed at MITRE on 10/12/2022