| ID | X0027 |
| Aliases | None |
| Platforms | Windows |
| Year | 2019 |
| Associated ATT&CK Software | None |
Modified version of a publicly available backdoor name GoBot2. Modifications are mainly evasion techniques specific to South Korea. [1]
From [1], “The malware installs two instances of itself on the system. The second instance (watchdog) monitors whether the first instance is still active and reinstalls it if it has been removed from the system.”
| Name | Use |
|---|---|
| Initial Access::Drive-by Compromise (T1189) | GoBotKR has been distributed through torrent file-sharing websites to South Korean victims, using games or Korean movie/TV series as a lure. [1] |
| Persistence::Scheduled Task (T1053) | GoBotKR schedules a task that adds a registry run key to establish malware persistence. [1] |
| Privilege Escalation::Abuse Elevation Control Mechanism::Bypass User Account Control (T1548.002) | GoBotKR attempts to bypass UAC using Registry Hijacking. [1] |
| Defense Evasion::Deobfuscate/Decode Files or Information (T1140) | GoBotKR has used base64 to obfuscate strings, commands and files. [1] |
| Defense Evasion::Indicator Removal (T1070) | GoBotKR removes the Zone identifier from the ADS (Alternate Data Streams) of the file, to conceal the fact the file has been downloaded from the internet. [1] |
| Defense Evasion::Masquerading (T1036) | GoBotKR uses filenames and registry key names associated with legitimate software. [1] |
| Discovery::Software Discovery::Security Software Discovery (T1518.001) | GoBotKR checks for processes associated with security products and debugging tools, and terminates itself if any are detected. It can enumerate installed antivirus software using the wmic command. [1] |
| Discovery::System Network Configuration Discovery (T1016) | GoBotKR uses netsh and ipconfig to collect information about the network configuration. It has used Naver and Daum portals to obtain the client IP address. [1] |
| Discovery::System Owner/User Discovery (T1033) | GoBotKR uses whoami to obtain information about the victimized user. It runs tests to determine the privilege level of the compromised user. [1] |
| Discovery::System Time Discovery (T1124) | GoBotKR can obtain the date and time of the compromised system. [1] |
| Lateral Movement::Ingress Tool Transfer (T1105) | GoBotKR attempts to copy itself into public folders of cloud storage services (Google Drive, Dropbox, OneDrive). [1] |
| Lateral Movement::Replication Through Removable Media (T1091) | GoBotKR can drop itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system. [1] |
| Command and Control::Proxy (T1090) | GoBotKR can be used as a proxy server. [1] |
| Command and Control::Data Encoding (T1132) | The communication with the C&C server is base64 encoded. [1] |
| Command and Control::Application Layer Protocol (T1071) | GoBotKR uses HTTP or HTTPS for C&C. [1] |
| Command and Control::Non-Standard Port (T1571) | GoBotKR uses non-standard ports, such as 6446, 6556 and 7777, for C&C. [1] |
| Name | Use |
|---|---|
| Execution::Command and Scripting Interpreter (E1059) | GoBotKR uses cmd.exe to execute commands. [1] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | GoBotKR installs itself under registry run keys to establish persistence. [1] |
| Defense Evasion::Hidden Files and Directories (F0005) | GoBotKR stores itself in a file with Hidden and System attributes. [1] |
| Defense Evasion::Obfuscated Files or Information (E1027) | GoBotKR uses base64 to obfuscate strings, commands and files. [1] |
| Defense Evasion::Modify Registry (E1112) | GoBotKR can modify registry keys to disable Task Manager, Registry Editor and Command Prompt. [1] |
| Collection::Screen Capture (E1113) | GoBotKR is capable of capturing screenshots. [1] |
| Execution::User Execution (E1204) | GoBotKR makes their malware look like the torrent content that the user intended to download, in order to entice a user to click on it. [1] |
| Command and Control::Ingress Tool Transfer (E1105) | GoBotKR can download additional files and update itself. [1] |
| Discovery::System Information Discovery (E1082) | GoBotKR uses wmic, systeminfo and ver commands to collect information about the system and the installed software. [1] query environment variable (This capa rule had 2 matches) [2] |
| Discovery::File and Directory Discovery (E1083) | Check if file exists (This capa rule had 1 match) [2] |
| Name | Use |
|---|---|
| Execution::Install Additional Program (B0023) | GoBotKR reinstalls its running instance if it is removed. [1] |
| Anti-Behavioral-Analysis::Sandbox Detection (B0007) | GoBotKR performs several checks on the compromised machine to avoid being emulated or executed in a sandbox. [1] |
| Command and Control::C2 Communication::Receive Data (B0030.002) | GoBotKR receives data from the C2 [1] |
| Impact::Denial of Service (B0033) | GoBotKR has been used to execute endpoint DDoS attacks – for example, TCP Flood or SYN Flood. [1] |
| Impact::Resource Hijacking (B0018) | GoBotKR can use the compromised computer’s network bandwidth to seed torrents or execute DDoS. [1] |
| Command And Control::C2 Communication::Receive Data (B0030.002) | Receive data (This capa rule had 2 matches) [2] |
| File System::Copy File (C0045) | Copy file (This capa rule had 1 match) [2] |
| File System::Create Directory (C0046) | Create directory (This capa rule had 1 match) [2] |
| File System::Delete File (C0047) | Delete file (This capa rule had 1 match) [2] |
| Operating System::Registry::Query Registry Value (C0036.006) | Query or enumerate registry value (This capa rule had 1 match) [2] |
| Process::Create Process (C0017) | Create process on Windows (This capa rule had 4 matches) [2] |
| Process::Create Thread (C0038) | Create thread (This capa rule had 2 matches) [2] |
| Process::Suspend Thread (C0055) | Suspend thread (This capa rule had 2 matches) [2] |
| Process::Terminate Process (C0018) | Terminate process (This capa rule had 1 match) [2] |
SHA256 Hashes
- 492e8ee240492768232b717a60a880f216fd936b6ed9f5b6f67fe83db3bbc7d4
- d4420f7f6fbc361bac02bcd9d994703735b15da80775ee20862db47b59d521d6
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] capa v4.0, analyzed at MITRE on 10/12/2022