A GoLang-programmed IRC (Internet Relay Chat) bot strain is being used to perform distributed denial-of-service (DDoS) attacks against Korean users.
Researchers at AhnLab’s Security Emergency-response Center (ASEC) revealed in a new paper issued on Wednesday that the virus is being distributed under the appearance of adult games. “In addition, the DDoS malware was downloaded and the UDP RAT was employed.”
The Attack Strategy
The virus is being distributed by the attackers using file-sharing websites such as Korean WebHards, according to researchers.
- First, the malware-infected games are compressed ZIP packages and posted to webhards (a type of remote file storage service).
- Secondly, when the game is launched, an executable (Game Open[.]exe) is staged to run a malware payload while the game is launched.
- This payload, a GoLang-based downloader, connects to a remote command-and-control (C&C) server to download more malware, including a DDoS-attacking IRC bot.
- “It’s a sort of DDoS Bot malware, but it communicates with the C&C server using IRC protocols,” the researchers explained. “Unlike UDP Rat, which only supported UDP Flooding assaults, Slowloris, Goldeneye, and Hulk DDoS attacks are all supported.”
According to the experts, GoLang’s minimal development costs and cross-platform capabilities have made it a popular choice among threat actors.
“The malware is actively transmitted via file-sharing websites such as Korean webhards,” according to AhnLab. “As a result, using executables downloaded from a file-sharing website with caution is suggested. It is recommended that customers obtain products from the developers’ official websites.”
What Is The Mechanism Behind It?
- The DDoS IRC bot is installed using a GoLang downloader, UDP RAT, and a publicly available open-source Simple-IRC-Botnet.
- The malware communicates with the C2 server using IRC protocols. While operating, it connects to a specified IRC server and enters the attacker’s channel. If directives are sent through the channel, it can launch DDoS assaults against a target.
- While the UDP RAT just enables UDP Flooding assaults, this one also supports Hulk DDoS, Slowloris, and Goldeneye attacks.
The DDoS IRC bot is brand new and not frequently used yet. It is, however, still being aggressively propagated on Korean webhards, indicating a specific target group of potential victims. When downloading files from a file-sharing website, it is essential to be cautious and only use official sources.