Week in security with Tony Anscombe

ESET researchers describe the ins and outs of a zero-day exploit that has been used for a highly targeted attack and reveal the name of the threat actor that deployed it

In a pair of articles this week, ESET researchers describe the ins and outs of a zero-day exploit that has been used for a highly targeted attack in Eastern Europe, and also reveal the name of the threat actor that deployed it. In yet another research effort, ESET experts analyze a malicious campaign that distributes a backdoor via torrents, using South Korean TV content as the bait.

Cybercrime seen to be getting worse: The time to act is now

What mounting public concern about falling victim to cybercrime says about government and corporate efforts at cybercrime deterrence

Is the risk of becoming a victim of cybercrime increasing? Most people in North America and Europe think it is, based on the surveys that I’ve been looking at. Earlier this year the European Union published the results of its latest consumer survey on internet security in which 87% of internet users agreed that the risk of becoming a victim of cybercrime is increasing (see the Resources link below for details of EBS480: Special Eurobarometer 480: Europeans’ attitudes towards Internet security).

Facts and figures

ESET recorded similar concern in a North American survey that asked the same question in roughly the same timeframe. In the US, 87% of respondents agreed that the risk of becoming a victim of cybercrime was increasing. Canadian respondents were slightly less pessimistic at 83% (sample sizes: 2,500 and 1,000 respectively.)

These findings have to be worrying news for companies whose business models rely on public trust in the internet. They should also concern politicians and the government, including law enforcement agencies. The survey findings strongly suggest that government efforts at cybercrime deterrence have not given the public much cause for hope.

Clearly, fear of crimes like identity theft and misgivings about data privacy loom large in many countries and some people are reducing or adjusting their use of online technology as a result. The following graph charts responses to the question: Has concern about security issues made you change the way you use the Internet in any of the following ways? (The EU data are from EBS480 fieldwork in October and November, 2018. US and Canada data are from ESET’s fieldwork in July and August, 2018.)

The number of people who are self-limiting their exploration of the internet has to be bad news for companies trying to start businesses online; and while the percentage of people limiting their online shopping and banking is a lot lower, it should still concern the retail and financial services sectors.

When ESET asked Americans about a variety of concerns related to online banking and shopping, 70% of those surveyed indicated that they are worried about the misuse of personal data supplied online. The EU study found a lower level of concern (43%), but this varied widely within the EU – from 32% in Austria and Poland to 50% in Croatia and 62% in Cyprus.

As you can see, roughly two thirds of respondents (66%) in North America expressed concern about the security of online payments. Again, this could be interpreted as a call to online merchants to step up their security efforts and demonstrate that they take the security of online transactions seriously.

To help assess privacy concerns related to use of the internet, the EU and ESET surveys asked respondents if they agreed or disagreed with this statement: I am concerned that my online personal information is not kept secure by websites. Sadly, one third of US respondents said that they totally agreed, compared to one in four Canadians. The percentage that agreed totally or tended to agree was 80% in the US, 72% in Canada, and 77% in the EU. That EU result is up from 70% in 2013, which is not a good sign.

The survey also asked people if they agreed with this statement: I am concerned that my online personal information is not kept secure by public authorities. Unfortunately, more than three quarters of US respondents (76%) either tended to agree or totally agreed, versus two thirds in Canada. In the EU, 68% of internet users share this concern, up from 64% in 2013.

Given the extent to which companies and government agencies have come to rely on the internet as a tool for communication and interaction with the public, these numbers should be worrying. If the public doubts the ability of organizations to protect personal data from exposure, those organizations may find it much harder than expected to realize net gains from further digital transformation, such as the Internet of Things, machine learning, artificial intelligent, big data, self-driving vehicles, and 5G.

What can we say?

Cybersecurity is concerned with the protection of digital technologies – technologies upon which our world is now heavily dependent – against criminals and other entities who seek to abuse those technologies for their own selfish ends. Public support for efforts to reduce cybercrime is critical to society’s efforts to preserve the benefits of digital technologies. That is why it is so important to know what the public thinks about cybercrime and cybersecurity, the safety of online activities, and the privacy of personal data shared with companies or government agencies.

So why don’t the governments of the world do a better job of researching these things? My take is that the cost of such research strikes many politicians as too high, but that strikes me as extremely short-sighted, given what is at stake, and how much surveys like those reviewed here can teach us. Consider the lost opportunities for retailers and financial firms that were revealed: by digging deeper into the demographics of this distrust, a savvy company could craft targeted marketing to improve engagement with customers who are nervous about online activity because of cybercrime.

Maybe industry lobbyists should be pushing for more of these studies given that they reveal valuable business intelligence. For example, the current numbers suggest that marketing strategies which rely on people giving up data online may be facing stronger headwind if cybersecurity does not improve. Conversely, these statistics might prove useful to Chief Information Security Officers (CISOs) and Chief Privacy Officers (CPOs) as they argue the case for greater emphasis on cybersecurity within their organizations.

Clearly, these surveys show that more needs to be done to deter cybercrime. Given the extent – revealed by these surveys – that cybercrime is impeding progress and threatening the promised benefits of the next wave of digital transformation, concerted action by government agencies and

Buhtrap group uses zero‑day in latest espionage campaigns

ESET research reveals notorious crime group also conducting espionage campaigns for the past five years

The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia. However, since late 2015, we have witnessed an interesting change in its traditional targets. From a pure criminal group perpetrating cybercrime for financial gain, its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia.

Throughout our tracking, we’ve seen this group deploy its main backdoor as well as other tools against various victims, but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign. In that case, we observed Buhtrap using a local privilege escalation exploit, CVE-2019-1132, against one of its victims.

The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.

This blog post covers the evolution of Buhtrap from a financial crime to an espionage mindset.


The timeline in Figure 1 highlights some of the most important developments in Buhtrap activity.

Figure 1. Important events in Buhtrap timeline

It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in targets occurred before the source code leak, we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions.

Although new tools have been added to their arsenal and updates applied to older ones, the tactics, techniques and procedures (TTPs) used in the different Buhtrap campaigns have not changed dramatically over all these years. They still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious documents. Also, several of their tools are signed with valid code-signing certificates and abuse a known, legitimate application to side-load their malicious payloads.

The documents employed to deliver the malicious payloads often come with benign decoy documents to avoid raising suspicions if the victim opens them. The analysis of these decoy documents provides clues about who the targets might be. When Buhtrap was targeting businesses, the decoy documents would typically be contracts or invoices. Figure 2 is a typical example of a generic invoice the group used in a campaign in 2014.

Figure 2. Decoy document used in campaigns against Russian businesses

When the group’s focus shifted to banks, the decoy documents were related to banking system regulations or advisories from FinCERT, an organization created by the Russian government to provide help and guidance to its financial institutions (such as the example in Figure 3).

Figure 3. Decoy document used in campaigns against Russian financial institutions

Hence, when we first saw decoy documents related to government operations, we immediately started to track these new campaigns. One of the first malicious samples showing such a change was noticed in December 2015. It downloaded an NSIS installer whose role was to install the main Buhtrap backdoor, but the decoy document – seen in Figure 4 – was intriguing.

Figure 4. Decoy document used in campaigns against governmental organizations

The URL in the text is revealing. It is very similar to the State Migration Service of Ukraine website, dmsu.gov.ua. The text, in Ukrainian, asks employees to provide their contact information, especially their email addresses. It also tries to convince them to click on the malicious domain included in the text.

This was the first of many malicious samples used by the Buhtrap group to target government institutions we encountered. Another, more recent decoy document that we believe was also distributed by the Buhtrap group is seen in Figure 5 – a document which would appeal to a very different set of people, but still government related.

Figure 5. Decoy documents used in campaigns against governmental organizations

Analysis of the targeted campaigns leading to zero-day usage

The tools used in the espionage campaigns were very similar to those used against businesses and financial institutions. One of the first malicious samples that we analyzed targeted governmental organizations was a sample with SHA-1 hash 2F2640720CCE2F83CA2F0633330F13651384DD6A. This NSIS installer downloads the regular package containing the Buhtrap backdoor and displays the decoy document shown in Figure 4.

Since then, we’ve seen several different campaigns against governmental organizations coming from this group. In these, they were routinely using vulnerabilities to elevate their privileges in order to install their malware. We’ve seen them exploit old vulnerabilities such as CVE-2015-2387. However, they were always known vulnerabilities. The zero-day they used recently was part of the same pattern: using it so that they could run their malware with the highest privileges.

Throughout the years, packages with different functionalities appeared. Recently, we found two new packages that are worth describing as they deviate from the typical toolset.

Legacy backdoor with a twist – E0F3557EA9F2BA4F7074CAA0D0CF3B187C4472FF

This document contains a malicious macro that, when enabled, drops an NSIS installer whose task is to prepare installation of the main backdoor. However, this NSIS installer is very different from the earlier versions used by this group. It is much simpler and is only used to set the persistence and launch two malicious modules embedded within it.

The first module, called “grabber” by its author, is a standalone password stealer. It tries to harvest passwords from mail clients, browsers, etc., and sends them to a C&C server. This module was also detected as part of the campaign using the zero-day. This module uses standard Windows APIs to communicate with its C&C server.

Figure 6. Grabber module network capabilities

The second module is something that we have come to expect from Buhtrap operators: an NSIS installer containing a legitimate application that will be abused to side load the Buhtrap main backdoor. The legitimate application that is abused in this case is AVZ, a free anti-virus scanner.

Meterpreter and DNS tunneling – C17C335B7DDB5C8979444EC36AB668AE8E4E0A72

This document contains a malicious macro that, when enabled, drops an NSIS installer whose task is to prepare installation of the main backdoor. Part of the installation process is to set up firewall rules to allow the malicious component to communicate with the C&C server. Next is a command example the NSIS installer uses to set up these rules:

cmd.exe /c netsh advfirewall firewall add rule name=”Realtek HD Audio Update Utility” dir=in action=allow program=”<path>RtlUpd.exe” enable=yes profile=any

However, the final payload is something that we have never seen associated with Buhtrap. Encrypted in its body are two payloads. The first one is a very small shellcode downloader, while the second one is Metasploit’s Meterpreter. Meterpreter is a reverse shell that grants its operators full access to the compromised system.

The Meterpreter reverse shell actually uses DNS tunnelling to communicate with its C&C server by using a module similar to what is described here. Detecting DNS tunnelling can be difficult for defenders, since all malicious traffic is done via the DNS protocol, as opposed to the more regular TCP protocol. Below is a snippet of the initial communication of this malicious module.


The C&C server domain name in this example is impersonating Microsoft. In fact, the attackers registered different domain names for these campaigns, most of them abusing Microsoft brands in one way or another.


While we do not know why this group has suddenly shifted targets, it is a good example of the increasingly blurred lines between pure espionage groups and those primarily involved in crimeware activities. In this case, it is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward.

Indicators of Compromise (IoCs)

ESET detection names


Malware samples

Main packages SHA-1


Grabber SHA-1


C&C servers



Company name Fingerprint
YUVA-TRAVEL 5e662e84b62ca6bdf6d050a1a4f5db6b28fbb7c5
SET&CO LIMITED b25def9ac34f31b84062a8e8626b2f0ef589921f
Tactic ID Name Description
Execution T1204 User execution The user must run the executable.
T1106 Execution through API Executes additional malware through CreateProcess.
T1059 Command-Line Interface Some packages provide Meterpreter shell access.
Persistence T1053 Scheduled Task Some of the packages create a scheduled task to be executed periodically.
Defense evasion T1116 Code Signing Some of the samples are signed.
Credential Access T1056 Input Capture Backdoor contains a keylogger.
T1111 Two-Factor Authentication Interception Backdoor actively searches for a connected smart card.
Collection T1115 Clipboard Data Backdoor logs clipboard content.
Exfiltration T1020 Automated Exfiltration Log files are automatically exfiltrated.
T1022 Data Encrypted Data sent to C&C is encrypted.
T1041 Exfiltration Over Command and Control Channel Exfiltrated data is sent to a server.
Command and Control T1043 Commonly Used Port Communicates with a server using HTTPS.
T1071 Standard Application Layer Protocol HTTPS is used.
T1094 Custom Command and Control Protocol Meterpreter is using DNS tunneling to communicate.
T1105 Remote File Copy Backdoor can download and execute file from C&C server.

11 Jul 2019 – 11:30AM

Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks

ESET research discovers a zero-day exploit that takes advantage of a local privilege escalation vulnerability in Windows

In June 2019, ESET researchers identified a zero-day exploit being used in a highly targeted attack in Eastern Europe.

The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.

The vulnerability affects the following Windows versions:

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

This blog post focuses on the technical details of the vulnerability and its exploitation. Another post, tomorrow, will delve into the malware sample and its broader implications.


As with a number of other Microsoft Windows win32k.sys vulnerabilities disclosed in recent years, this exploit uses popup menu objects. For example, the Sednit group’s local privilege escalation exploit that we analyzed in 2017 used menu objects and techniques very similar to the current exploit.

This exploit creates two windows; one for the first stage and another one for the second stage of the exploitation. For the first window, it creates popup menu objects and appends menu items using the CreatePopupMenu and AppendMenu functions. In addition, the exploit sets up WH_CALLWNDPROC and EVENT_SYSTEM_MENUPOPUPSTART hooks.

Then the exploit displays a menu using the TrackPopupMenu function. At this point the code hooked to EVENT_SYSTEM_MENUPOPUPSTART gets executed. This code attempts to open as the first available item in the menu, by sending a sequence of MN_SELECTITEM, MN_SELECTFIRSTVALIDITEM and MN_OPENHIERARCHY messages to the menu.

The next step is very important for triggering this vulnerability. The exploit must catch the moment in time when the initial menu is already created, but the sub-menu is only about to be created. For that, the exploit has code that handles the WM_NCCREATE message in the WH_CALLWNDPROC hook. When the exploit code detects the system is in this state, it sends MN_CANCELMENUS (0x1E6) message to the first menu, which cancels that menu. However, its sub-menu is still about to be created.

Now if we check this sub-menu object in kernel mode, we would see that tagPOPUPMENU‑>ppopupmenuRoot equals 0. This state allows the attacker to use that element in this kernel structure as a NULL pointer dereference. The exploit allocates a new page at address 0x0 and this address will be treated as a tagPOPUPMENU object (see Figure 1) by the kernel.

Figure 1. The tagPOPUPMENU kernel structure

At this point, the attackers use the second window. The main exploit goal is to flip the bServerSideWindowProc bit in the tagWND structure of the second window. This causes the execution of a WndProc procedure in kernel mode.

To perform that, attackers leak the kernel memory address of the tagWND structure of the second window by calling the non-exported HMValidateHandle function in the user32.dll library. Then the exploit crafts a fake tagPOPUPMENU object at the NULL page and sends a MN_BUTTONDOWN message to a sub-menu.

After that, the kernel will eventually execute the win32k!xxxMNOpenHierarchy function.

Figure 2. Disassembled code of the win32k!xxxMNOpenHierarchy function

This function passes a crafted object at the NULL page to win32k!HMAssignmentLock. The bServerSideWindowProc bit is set inside the win32k!HMDestroyUnlockedObject function, which is located a few calls deeper inside win32k!HMAssignmentLock.

Figure 3. Disassembled code of the win32k!HMDestroyUnlockedObject function

Everything is done! Now the exploit can send a specific message to the second window in order to execute WndProc in kernel mode.

As a final step, the exploit replaces the token of the current process with the system token.

The published patch, among others, added a check for a NULL pointer in win32k!xxxMNOpenHierarchy function.

Figure 4. Code differences between two win32k.sys versions – original (left) and patched (right)


The exploit only works against older versions of Windows, because since Windows 8 a user process is not allowed to map the NULL page. Microsoft back-ported this mitigation to Windows 7 for x64-based systems.

People who still use Windows 7 for 32-bit systems Service Pack 1 should consider updating to newer operating systems, since extended support of Windows 7 Service Pack 1 ends on January 14th, 2020. Which means that Windows 7 users won’t receive critical security updates. Thus, vulnerabilities like this one will stay unpatched forever.

SHA-1 hash ESET detection name
CBC93A9DD769DEE98FFE1F43A4F5CADAF568E321 Win32/Exploit.CVE-2019-1132.A

10 Jul 2019 – 11:30AM

UK’s data watchdog hands out two mega-fines for breaches

The times they have a-changed since the ICO could only slap fines worth a fraction of the current amounts

British Airways and Marriott Starwood are facing massive fines in the United Kingdom for cyber-incidents that compromised the personal data of their customers.

Yesterday, the UK’s Information Commissioner’s Office (ICO) unveiled its intention to slap a fine of £183.4 million (roughly US$230 million) on the air carrier for a breach last year that compromised the personal data of half a million of its customers.

And today, the data watchdog revealed a similar plan for the hotel chain – a fine worth £99.2 million (around US$123 million) in response to a breach that exposed 383 million guest records.

Both penalties are for alleged violations of the European Union’s General Data Protection Regulation (GDPR). The penalty for British Airways is the first that the ICO intends to impose under the new legal regime and by far the highest that the data protection regulator has ever levied.

No. 1

As we also reported in September 2018, hundreds of thousands of the air carrier’s customers had their credit card details stolen last summer. As the full scope of the damage became clear, the range of compromised data grew to include more data, “including log in, payment card, and travel booking details as well name and address information”. The victim tally was also revised upwards to 500,000 people.

“This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers,” said the ICO after an extensive investigation, blaming the breach on the company’s “poor security arrangements”.

Said Information Commissioner Elizabeth Denham: “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways has already announced that it intends to “take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.

No. 2

Another day, another penalty, this time for an incident that hit one of the world’s largest hotel chains, exposing various personal data contained in hundreds of millions of guest records globally. The ICO, which put the number of exposed records at 339 million, said that some 30 million of them related to residents of 31 countries in the European Economic Area (EEA).

In this breach, disclosed in November 2018, an unauthorized party had accessed the reservations database since as far back as 2014. The compromised data included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For a subset of the victims, passport numbers, payment card numbers and payment card expiration dates were also pilfered.

Marriot Starwood has also already announced plans to appeal the ICO’s move.

Past vs. present

Either of the fines puts any penalty ever handed out by the ICO before to shame. Last July, for example, the ICO fined Facebook £500,000 (then equivalent to US$663,000) over the Cambridge Analytica scandal that saw the personal data of millions of users harvested without their knowledge. Still, it was the maximum allowed before GDPR came into force.

Meanwhile, fines imposed under GDPR can be as high as €20 million (US$22.4 million) or 4 percent of a company’s total worldwide annual turnover in the preceding financial year, whichever is greater. According to The Guardian, the proposed penalty for British Airways is equivalent to around 1.5 percent of the company’s global turnover last year. For Marriott, the fine would represent some 3 percent of the company’s global revenue in 2018, wrote TechCrunch.

9 Jul 2019 – 07:19PM

Malicious campaign targets South Korean users with backdoor-laced torrents

ESET researchers have discovered a malicious campaign distributing a backdoor via torrents, with Korean TV content used as a lure

Fans of Korean TV should be on the lookout for an ongoing campaign spreading malware via torrent sites, using South Korean movies and TV shows as a guise. The malware allows the attacker to connect the compromised computer to a botnet and control it remotely.

The malware is a modified version of a publicly available backdoor named GoBot2. The modifications to the source code are mainly South Korea-specific evasion techniques, which are described in detail in this blogpost. Due to the campaign’s clear focus on South Korea, we have dubbed this Win64/GoBot2 variant GoBotKR.

According to ESET telemetry, GoBotKR has been active since March 2018. The detections are in the hundreds, with South Korea being the most affected (80%), followed by China (10%) and Taiwan (5%).

GoBotKR has been spreading via South Korean and Chinese torrent sites, masquerading as Korean movies and TV shows, as well as some games.

The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions and icons. Our analysis shows that the torrents using a movie/TV show disguise generally contain the following types of files:

  1. The expected MP4 file
  2. A malicious executable masked as a PMA archive file with a filename mimicking various codec installers
  3. A malicious LNK file with a filename and icon mimicking the expected video file

Figure 1 shows examples of torrent contents from this malicious campaign.

Figure 1. Contents of some torrents delivering the malware (the MP4 video is not displayed on the second screenshot); the malware is executed by an LNK file with a deceptive filename and icon

So how exactly do users get compromised?

Directly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file is often hidden in a different directory, and users might encounter the malicious LNK file mimicking it first. Further increasing the chance of users falling for the lure is the fact that the extension of the LNK file is normally not displayed when viewed in Windows Explorer, as seen in the second screenshot in Figure 1, in the file with the Korean name.

Clicking on the deceptive LNK file executes the malware. However, it also opens the intended file (in this case a video), giving victims little reason to suspect something has gone wrong.

Renaming the malicious EXE file to a PMA file is also likely done to prevent raising suspicion of potential victims. We have also seen this technique using games as a lure, and with filenames and extensions relevant to gaming.

During our investigation, we have seen the following filenames being used for the malicious executables: starcodec.pma, WedCodec.pma and Codec.pma (movie/TV show disguise) and leak.dll (game disguise). The name “starcodec” mimics the legitimate Korean codec pack Starcodec.

GoBotKR was built on the basis of a backdoor named GoBot2, the source code of which has been publicly available since March 2017. Both the original and the modified version are written in GoLang, also known as Go. While still relatively rare for malware, new variants of GoLang malware are emerging, likely due to the challenges posed to analysts with the bulky nature of its compiled executables.

The functionality of GoBotKR largely overlaps with the published GoBot2 source code, with only minimal modifications. Overall, the malware is not particularly complex technically, and the implementation is rather straightforward. Most features are implemented with the use of GoLang libraries, and by executing Windows commands (such as cmd, ipconfig, netsh, shutdown, start, systeminfo, taskkill, ver, whoami, and wmic), and third-party utilities such as BitTorrent and uTorrent clients.

Collected information

Ultimately, the actors behind GoBotKR are building a network of bots that can then be used to perform DDoS attacks of various kinds (e.g. SYN Flood, UDP Flood, or Slowloris). Therefore, after being executed, GoBotKR first collects system information about the compromised computer, including network configuration, OS version information, CPU and GPU versions. In particular, it collects a list of installed antivirus software.

This information is sent to a C&C server, which helps the attackers determine which bots should be used in the respective attacks. All C&C servers that we extracted from the analyzed malware samples are hosted in South Korea and registered by the same person.

Bot commands

Once communication with the C&C server is established, the server instructs the compromised computer with backdoor commands. GoBotKR supports fairly standard botnet functions, which mostly serve three main purposes:

  • allowing misuse of the compromised computer
  • allowing the botnet operators to control, or further extend, the botnet
  • evading detection or hiding from the user

These are the supported commands:

  • carry out a DDoS attack on a specified victim
  • access a URL
  • execute a file, a command, a script
  • update, terminate or uninstall itself
  • shutdown/reboot/log off the computer
  • change homepage in IE
  • change desktop background
  • seed torrents
  • copy itself to connected removable media, and setup AutoRun function
  • copy itself to public folders of cloud storage services (Dropbox, OneDrive, Google Drive)
  • run a reverse proxy server
  • run an HTTP server
  • change firewall settings, edit hosts file, open a port
  • enable/disable Task Manager
  • enable/disable Windows registry editors
  • enable/disable Command Prompt
  • kill a process
  • hide a process window

Of particular interest are two commands – seeding torrents and DDoS capability.

The “seed torrents” command allows the attackers to misuse the victimized machines for seeding arbitrary files using the BitTorrent and uTorrent programs, even if these are not already installed on the system. This may be used as a mechanism to distribute the malware further.

The “carry out a DDoS attack” command lets attackers abuse the victim’s network bandwidth to block the availability of targeted services, such as websites. According to our analysis, this is most likely the main purpose of the GoBotKR botnet.

In this section, we explore the evasion techniques used by the GoBotKR backdoor. While many techniques were already present in the publicly available source code, the authors of GoBotKR further expanded them with South Korea-specific features. This shows us that the attackers customized the malware for a specific audience, while taking extra effort to remain undetected in their campaign.

Techniques taken from GoBot2

The following detection evasion and anti-analysis techniques used by GoBotKR have been adopted from GoBot2 source code:

  • The malware installs two instances of itself on the system. The second instance (watchdog) monitors whether the first instance is still active and reinstalls it if it has been removed from the system.
  • The malware employs antivirus bypass techniques (it allocates large chunks of memory and delays execution of the malicious payload to prevent antivirus engines from emulating the code due to resource constraints).
  • The malware can detect selected security and analytical tools, such as debuggers. If detected, it terminates itself.
  • The malware terminates itself if IP information of the victim suggests one of several blacklisted organizations (e.g. Amazon, BitDefender, Cisco, ESET). It uses external legitimate websites for querying IP information and searches for hardcoded strings in this information (e.g. “cloud”, “Cisco”, “Microsoft”), rather than using API functions.
  • The malware terminates itself if its file name consists of 32 hexadecimal characters, which prevents the payload from being executed in some automated sandboxes.

South Korea-specific modifications in GoBotKR

The authors of GoBotKR added three new evasion techniques, related to their focus on South Korea:

  • As explained in the previous section, the malware uses IP information of the compromised computer to detect whether it is running in one of the blacklisted organizations. In GoBot2, the IP address of the victim is determined by accessing Amazon Web Services or dnsDynamic and parsing the reply.
    In the samples of GoBotKR we analyzed, these URLs are replaced with South Korean online platforms Naver and Daum.
  • GoBotKR features a new evasion technique that scans running processes on the compromised system to detect selected antivirus products (listed in Table 1). If any of the products are detected, the malware terminates itself and removes some traces of its activity from the host. The list of detected processes includes products by AhnLab, a South Korean security company.
Process name substring Associated company/product
V3Lite AhnLab, V3 Internet Security
V3Clinic AhnLab, V3 Internet Security
RwVnSvc AhnLab Anti-Ransomware Tool
Ksde Kaspersky
kavsvc Kaspersky
avp Kaspersky
Avast Avast
McUICnt McAfee
360 360 Total Security
kxe Kingsoft Antivirus
kwsprotect Kingsoft Internet Security
BitDefender BitDefender
Avira Avira
ByteFence ByteFence

Table 1. List of security products detected by GoBotKR

  • The malware tries to detect analytical tools running on the system. It terminates itself if any of them are detected. The list is internally named “ahnNames”, which might be another reference to AhnLab.

Figure 2. The malware’s blacklist of running processes is internally named “ahnNames”

In addition to the AhnLab references, the defensive techniques described in the second and third points were added into the source code as a file named AhnLab.go, according to the metadata we obtained from the malware.

Because the malware is spreading via torrents, a lot of the samples are broken or incomplete. We were, however, able to recover C&C servers and internal version information.

Since the malware was first seen, we have detected samples with internal versions 2.0, 2.3, 2.4, and 2.5. Each of these versions comes with some minor technical improvements or differences in implementation. The versioning differs from that used in the GoBot2 source code, where an internal name “ArchDuke” is used.

Table 2 lists the different versions of GoBotKR detected by ESET systems from May 2018 to the time of writing. The timeline features the malware’s internal versioning and detection dates, as PE timestamps have been cleared from the samples.

First seen Internal version Functionality linked to South Korea C&C server
May 2018 2.0 No https://jtbcsupport[.]site:7777/
Jul 2018 2.0 Yes https://jtbcsupport[.]site:7777/
Aug 2018 2.0 Yes https://higamebit[.]com:6446/
Sep 2018 2.3 Yes https://kingdomain[.]site:6556/
Sep 2018 2.3 Yes https://bitgamego[.]com:6446/
Sep 2018 2.3 Yes https://higamebit[.]com:6446/
Sep 2018 2.3 Yes https://helloking[.]site:6446/
Jan 2019 2.4 Yes https://kingdomain[.]site:6556/
Jan 2019 2.5 Yes https://kingdomain[.]site:6556/

Table 2. GoBotKR version timeline

As seen in the table, the first malware samples detected in May 2018 were not yet customized for South Korean targets and were thus almost identical to the GoBot2 source code. However, we were able to link them to newer samples because they used the same C&C server.

If you suspect you might have fallen victim to this malware campaign, we recommend you scan your computer with a reliable security solution. ESET products detect and block this malware under the detection name Win64/GoBot2. You can use ESET’s Free Online Scanner to check your computer for the presence of this threat and remove anything that is detected. Existing ESET customers are protected automatically.

Pirated content distributed via torrent sites is a well-known vector for spreading all kinds of malware. To steer clear of similar attacks in the future, stick to official sources when downloading content. Before launching downloaded files, pay attention to whether their extensions match the intended filetypes. To keep your computer protected, we advise you to patch regularly and use reputable security software.

ESET detection name


C&C servers



Note that some malware samples may be corrupted due to the nature of its distribution mechanism (torrents).

Version 2.0


Version 2.3


Version 2.4


Version 2.5


Registry values

The registry key used by GoBotKR is a subkey under [HKCUSOFTWARE] with a variable name from a hardcoded list, mostly mimicking legitimate software names.

The following registry values are used:


Tactic ID Name Description
Initial Access T1189 Drive-by Compromise GoBotKR has been distributed through torrent file-sharing websites to South Korean victims, using games or Korean movie/TV series as a lure.
Execution T1059 Command-Line Interface GoBotKR uses cmd.exe to execute commands.
T1064 Scripting GoBotKR can download and execute scripts .
T1204 User Execution GoBotKR makes their malware look like the torrent content that the user intended to download, in order to entice a user to click on it.
Persistence T1060 Registry Run Keys / Startup Folder GoBotKR installs itself under registry run keys to establish persistence.
T1053 Scheduled Task GoBotKR schedules a task that adds a registry run key to establish malware persistence.
Privilege Escalation T1088 Bypass User Account Control GoBotKR attempts to bypass UAC using Registry Hijacking.
Defense Evasion T1140 Deobfuscate/Decode Files or Information GoBotKR has used base64 to obfuscate strings, commands and files.
T1089 Disabling Security Tools GoBotKR may use netsh to add local firewall rule exceptions.
T1158 Hidden Files and Directories GoBotKR stores itself in a file with Hidden and System attributes.
T1070 Indicator Removal on Host GoBotKR removes the Zone identifier from the ADS (Alternate Data Streams) of the file, to conceal the fact the file has been downloaded from the internet.
T1036 Masquerading GoBotKR uses filenames and registry key names associated with legitimate software.
T1112 Modify Registry GoBotKR stores its configuration data in registry keys.

GoBotKR can modify registry keys to disable Task Manager, Registry Editor and Command Prompt.

T1027 Obfuscated Files or Information GoBotKR uses base64 to obfuscate strings, commands and files.
T1108 Redundant Access GoBotKR installs a second copy of itself on the system, which monitors and reinstalls the primary copy if it has been removed.
T1497 Virtualization/Sandbox Evasion GoBotKR performs several checks on the compromised machine to avoid being emulated or executed in a sandbox.
Discovery T1063 Security Software Discovery GoBotKR checks for processes associated with security products and debugging tools, and terminates itself if any are detected. It can enumerate installed antivirus software using the wmic command.
T1082 System Information Discovery GoBotKR uses wmic, systeminfo and ver commands to collect information about the system and the installed software.
T1016 System Network Configuration Discovery GoBotKR uses netsh and ipconfig to collect information about the network configuration. It has used Naver and Daum portals to obtain the client IP address.
T1033 System Owner/User Discovery GoBotKR uses whoami to obtain information about the victimized user. It runs tests to determine the privilege level of the compromised user.
T1124 System Time Discovery GoBotKR can obtain the date and time of the compromised system.
Lateral Movement T1105 Remote File Copy GoBotKR attempts to copy itself into public folders of cloud storage services (Google Drive, Dropbox, OneDrive).

It is also able to spread itself by instructing the compromised machine to seed torrents with the malicious file.

T1091 Replication Through Removable Media GoBotKR can drop itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.
Collection T1113 Screen Capture GoBotKR is capable of capturing screenshots.
Command and Control T1090 Connection Proxy GoBotKR can be used as a proxy server.
T1132 Data Encoding The communication with the C&C server is base64 encoded.
T1105 Remote File Copy GoBotKR can download additional files and update itself.
T1071 Standard Application Layer Protocol GoBotKR uses HTTP or HTTPS for C&C.
T1065 Uncommonly Used Port GoBotKR uses non-standard ports, such as 6446, 6556 and 7777, for C&C.
Impact T1499 Endpoint Denial of Service GoBotKR has been used to execute endpoint DDoS attacks – for example, TCP Flood or SYN Flood.
T1498 Network Denial of Service GoBotKR has been used to execute network DDoS.
T1496 Resource Hijacking GoBotKR can use the compromised computer’s network bandwidth to seed torrents or execute DDoS.

8 Jul 2019 – 11:30AM

Week in security with Tony Anscombe

Chinese smart home solutions provider Orvibo has leaked two billion logs from devices managed via its cloud platform, exposing sensitive information about their users

Chinese smart home solutions provider Orvibo has leaked two billion logs from devices managed via its cloud platform, exposing sensitive information about the devices’ users. The UK’s National Health Service, which was badly hit by WannaCryptor two years ago, remains vulnerable to similarly crippling incidents. A former Equifax executive goes to jail for insider trading related to the massive data breach that hit the credit bureau in 2017. All this – and more – on WeLiveSecurity.

NHS warned to act now to keep hackers at bay

A trifecta of issues impact the organization’s cyber-resilience and conspire to put it in the firing line of cyberattacks

Two years after being badly hobbled by the WannaCryptor outbreak, the United Kingdom’s National Health Service (NHS) still has a lot of work to do to avoid another crippling cyber-incident, according to a white paper from the Institute of Global Health Innovation at Imperial College London.

A trio of problems – outdated computer systems, underinvestment in cybersecurity, and a shortage of cybersecurity awareness and skills – put the institution and the safety of its patients at risk. The white paper was presented at the House of Lords yesterday.

“A cyberattack on a hospital’s computer system can leave medical staff unable to access important patient details – such as blood test results or X-rays, meaning they are unable to offer appropriate and timely care. It can also prevent life-saving medical equipment or devices from working properly, and in some cases lead to patient data being stolen,” reads a dire warning from the experts.

They also highlight risks associated with the use of new technologies in the healthcare system, including “robotics, artificial intelligence, implantable medical devices and personalized medicines based on a person’s genes”, and call for security to be built into the design of these technologies.

Then there is of course the need to manage third-party risk, as reliance on external IT service providers may leave patient data vulnerable to theft and exploitation.

Says ESET cybersecurity specialist Jake Moore: “More and more third-party technology firms are brought into helping government organizations with their day-to-day work as outsourcing is seen as a cheaper option. However, when such third-party operations are chosen, the main reason can sometimes be on cost alone, which can inevitably put security and protection of the systems lower down the priority list”.

“To see the NHS attacked again would be a disaster; therefore, protecting confidential health data on its patients should be seen as priority number one whatever the cost,” he added.

Way to go

The white paper acknowledged work that is being done across the healthcare system to boost its cyber-preparedness, including a plan announced by the Department of Health and Social Care in October 2018 to spend £150 million (US$188 million) over the next three years to bolster the NHS’s cyber-preparedness.

Having said that, the document also says that additional investments are urgently needed and suggests more measures for NHS organizations to put in place with an eye towards improving their ability to fend off cyberattacks.

Among other things, it urges the NHS to hire cybersecurity professionals, ensure that staff know where they can ask for help and guidance on IT security, and implement network segmentation and segregation strategies to stop potential threats from spreading further and limit the damage.

WannaCryptor cost the NHS £92 million ($115 million).

3 Jul 2019 – 05:31PM

Two billion user logs leaked by smart home vendor

The leak, which apparently has yet to be plugged, exposes a range of very specific data about users

A Chinese smart home solutions provider has been leaking billions of logs from devices managed via the company’s cloud platform, exposing a range of sensitive information about their users.

The database – which was found sitting an ElasticSearch server with no password protection – belongs to a Chinese company called Orvibo. The platform, called SmartMate, is used by customers from around the world to manage their Internet-of-Things (IoT) devices, including home entertainment and security devices, and energy management and HVAC systems. A maker of around 100 smart home or smart automation products, Orvibo claims to have a million customers, both individual users and businesses.

Researchers at vpnMentor, who discovered the misconfigured server in the middle of June and described their findings in this blog post, wrote that Orvibo has been notified of the issue several times since June 16. Per latest reports (from yesterday), the database remains exposed.

There is no evidence that cybercriminals have accessed the data, but with such abundance of identifying information the scope for abuse is practically endless.

Says ESET cybersecurity specialist Jake Moore: “Criminal groups may have been aware of this data exposure, but it is unknown if anyone has taken advantage of this leak yet and I’d hope it would be plugged quite quickly now it is out. What a criminal hacker could do with this goes as far as their imagination will take them”.

What data?

The user logs – no fewer than two billion of them, in fact – contained a collection of truly varied and very specific data. There were user IDs, family names and IDs, email addresses, hashed (but not salted) passwords, smart device details, precise location data, IP addresses, as well as account reset codes, which could be used to lock people out of their accounts.

Scheduling information for things such as smart lights is also there for anyone to see. Combined with the geolocation data, this might expose people to burglaries. In one case, a smart camera log contained “a message that was recorded word for word”, according to the analysis, complete with a host of screenshots showing redacted examples of the leaked data.

2 Jul 2019 – 06:46PM

Ex-Equifax executive sent to jail for insider trading after breach

“Sounds bad”, the former Equifax CIO wrote in a text after learning of the breach that ended up affecting almost half the US population

The Equifax debacle is in the news again, as a former executive of one of the firm’s business units was sentenced to four months in prison last week for capitalizing on early knowledge of the massive security incident two years ago, according to a press release by the US Department of Justice (DOJ).

Jun Ying, the former Chief Information Officer (CIO) of Equifax’s US Information Solutions division, pled guilty back in March to selling his shares in the credit bureau. He admitted to dumping his stock after becoming aware of the breach but before it was disclosed a week and a half later.

This ultimately earned him the prison sentence, which was imposed last Thursday, as well as a fine of US$55,000. He was also ordered to pay restitution worth some US$117,000 and the prison time will be followed by a year of supervised release.

According to MarketWatch citing a court filing, prosecutors were seeking a longer jail time – a year and three months, as well as a $75,000 fine and the restitution worth US$117,000.

“Sounds bad”

As retold in detail by the DOJ, Ying knew full well what he was doing when becoming aware of the hack, and acted with alacrity:

On Friday, August 25, 2017, Ying texted a co-worker that the breach they were working on “sounds bad. We may be the one breached.” The following Monday, Ying conducted web searches on the impact of Experian’s 2015 data breach on its stock price. Later that morning, Ying exercised all of his stock options, resulting in him receiving 6,815 shares of Equifax stock, which he then sold. He received proceeds of over $950,000, and realized a gain of over $480,000, thereby avoiding a loss of over $117,000. On September 7, 2017, Equifax publicly announced its data breach, which resulted in its stock price falling.

The breach at Experian, a competitor to Equifax, affected up to 15 million people.

Meanwhile, the breach at Equifax was eventually found to affect up to 148 million people. One in every two Americans, as well as hundreds of thousands of Canadians and Brits, had a range of sensitive information, including names, social security numbers, birth dates and addresses, siphoned by hackers. As we recalled a few weeks ago, the incident was facilitated by a critical vulnerability in the Apache Struts web application framework for which a patch was issued on March 6, 2017 but which Equifax failed to install in time.

Ying is the second former Equifax executive to face the music over insider trading relating to the data breach. Last October, former Equifax software product development manager Sudhakar Reddy Bonthu was sentenced to eight months of home confinement, fined $50,000, and made to give back his ill-gotten gains.

1 Jul 2019 – 06:00PM