RAT malware spreading in Korea through webhard and torrents

An ongoing malware distribution campaign targeting South Korea disguises RATs (remote access trojans).  as an adult game shared via webhards and torrents. Attackers take easily accessible malware like njRAT and UDP RAT.  wrap it in a package that looks like a game or other program, and then download it from the web. WebHard is a popular online storage service in Korea, preferred primarily for the convenience of direct downloads. Users end up on websites through Discord or social media posts.  but popular storage repositories enjoy a steady stream of daily visitors due to the content being shared.

As ASEC analysts have report, threat actors are now using Webhards to distribute a UDP RAT disguise as a ZIP file.  containing an adult game. Once extract, the archive contains a “game.exe” launcher, which is actually UDP rate malware. While running, Game.exe deletes a RAT containing Themida and becomes hidden, while it subsequently creates a new Game.  exe file that will run the actual game, convincing the victim that everything was fine. For this campaign, ASEC was unable to sample any of the additional payloads.  so it may be a feature preserved for future deployment or it is just use intermittently.
RATs give hackers remote access to your computer
If you’ve ever had to call technical support for a PC, you probably know the magic of remote access. When remote access is enabled, authorized computers and servers can control everything that happens on your PC.

A RAT is a type of malware that is very similar to legitimate remote access programs. The main difference, of course, is that RATs are installed on a computer without the user’s knowledge. Most legitimate remote access programs are designed for technical support and file-sharing purposes.  while RATs are designed to spy on, hijack, or destroy computers.

Like most malware, RATs are grafted onto legitimate-looking files. Hackers can attach a RAT to a document in an email or in large software, such as a video game. Advertisements and malicious web pages can also contain RATs. but most browsers prevent automatic downloads from websites or warn you when a site is unsafe.

Unlike some malware and viruses, it can be difficult to know when you’ve downloaded a RAT malware. Generally speaking, a RAT won’t slow down your computer, and hackers won’t always betray themselves by deleting your files or moving your cursor around the screen. In some cases, users are infected with a RAT for years without noticing anything abnormal. But why are RATs so secret? And how are they useful to hackers?
How does a remote access Trojan work?

Like other forms of malware, Remote Access Trojans are typically attached to what appear to be legitimate files, such as emails or preinstalled software. However, it has recently been observed that these dangerous threat actors quickly change exploitation techniques when their methods are discovered and publicly exposed. However, what really makes a RAT particularly dangerous is the fact that it can mimic trusted remote access applications. You won’t know it’s there once they’ve been installed because it doesn’t appear in a list of active programs or running processes. Why? Because it is more beneficial for hackers to stay away and avoid getting caught. If you do not take the proper security measures, it is possible that you have a Remote Access Trojan on your computer for a long time without being detected.

Unlike keylogging, a type of virus that logs keystrokes on a user’s keyboard without the victim realizing it, or ransomware, which encrypts all data on a PC or mobile device, blocking the Owner access to data until a ransom is paid, Remote Access Trojans give attackers complete administrative control over the infected system, as long as they are not observed.

Unlike keylogging, a type of virus that logs keystrokes on a user’s keyboard without the victim realizing it, or ransomware, which encrypts all data on a PC or mobile device, blocking the Owner access to data until a ransom is paid, Remote Access Trojans give attackers complete administrative control over the infected system, as long as they are not observed. As you can imagine, this type of activity can lead to tricky situations. For example, if a RAT is associated with a keylogger, it can easily obtain login information for financial and personal accounts. To make matters worse, they can stealthily activate a computer’s camera or microphone, and even access private photos and documents, or use your home network as a proxy server, to anonymously commit crimes.

Who is targeted?

Creating remote access Trojans that can evade detection is a meticulous process, which means that it is often more profitable for hackers to use them against larger targets like governments, businesses, and others. financial institutions. But they don’t stop there. The administrative access provided by Remote Access Trojans allows cybercriminals to wipe hard drives, download illegal and classified information, or even impersonate someone else on the Internet.

These actions can have geopolitical implications. If attackers succeed in installing remote access Trojans, for example in power plants, traffic control systems, or telephone networks, they can gain powerful control over them and even destroy communities, towns, and cities. nations. In this regard, we remember the 2008 war between Russia and Georgia, when Russia used a coordinated campaign of physical and cyber warfare to capture the territory of the neighboring Republic of Georgia.

How to Protect Yourself from RAT Malware

1. Never download anything from unreliable sources

It may sound simple or obvious, but it is the most effective way to prevent your system from getting infected with a Remote Access Trojan. Do not open email attachments from people you don’t know (or even people you know if the message seems wrong or suspicious in some way), or from websites unreliable. Additionally, always make sure that your browsers and operating systems are patched and up to date.

2. Keep your antivirus software up to date

Home and small business networks can often benefit from antivirus software like our Heimdal ™ Threat Prevention. If you were new to our product, Heimdal ™ Threat Prevention is designed to protect customers from attacks such as malware and ransomware that traditional antiviruses cannot detect. It can block different sources of malware infection such as malicious attachments, infected links that you may receive in your email, infected web pages, or malicious web applications which appear legitimate at first glance but which aim to spread ransomware. However, keep in mind that antivirus software won’t be very helpful if you actively download files and install programs that you shouldn’t.

3. Use intrusion detection systems

This is the most efficient option for large organizations. The intrusion detection system can be the host (HIDS) or network (NIDS) based. While HIDS is installed on a specific device and monitors log files and application data for signs of malicious activity, NIDS tracks network traffic in real-time for suspicious behavior. Used together, the two create a security information and event management (SIEM) system, which can help block software intrusions that have escaped firewalls, antivirus software, and other security solutions.