Skip to content

Threat actors are circulating RemcosRAT via webhards in South Korea

  • by
  • 2 min read

Remcos Remote Access Trojan (RAT) malware, disguised as adult games and distributed through webhard platforms, has been circulating in South Korea.

Webhards are remote file-hosting services that make it quite easier to download and upload illegal data, including films, video games, and porn. These platforms are also a go-to spot for threat actors to distribute RATs. Earlier, webhards were used to disseminate malware like UDP RAT and njRAT, camouflaging as legitimate files.

Cybersecurity researchers from AhnLab Security Intelligence Center (ASEC) discovered that a third malware, RemcosRAT, is also being distributed via the same platform.

This is an image of infectionchainremcosratwebhard ss1
RemcosRAT infection chain. | Source: ASEC

Researchers found that the malware was strategically concealed within various games, utilising a common method. According to ASEC, these deceptive games often come with a guide instructing users to run the Game.exe file that users may find seemingly innocuous game launcher files.

However, ASEC’s investigation revealed that the actual dynamic-link library (DLL) responsible for running various games exists separately. Malicious Visual Basic Scripts (VBS) are executed alongside the game file when users run Game.exe.

The ultimate execution involves the ffmpeg.exe malware. Upon execution, the malware splits the ‘sexyz’ string to extract the encrypted binary and Key value from test.jpg. These extracted elements are then injected into explorer.exe.

This is an image of infectionchainremcosratwebhard ss2
RemcosRAT malware. | Source: ASEC

The injected malware downloads the RemcosRAT through the command and control (C&C) server. Additional malicious activities are attempted by injecting the RAT into ServiceModelReg.exe.

“Users need to take caution as malware is being distributed actively via file-sharing websites such as Korean webhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended that users download programs from the official websites,” urged the researchers.

In August last year, threat actors combined TargetCompany ransomware and RemcosRAT, employing fully undetectable (FUC) packers and adding a layer of sophisticated obfuscation to the payloads.

In the News: Real money games get Google’s support in India, Mexico and Brazil

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

Illustration: jmiks | shutterstock

Armenian ransomware operator extradited to the US

This is an image of dark web hacker security

Cambodia arrests over 1,000 in cybersecurity raids

This is an image of amazon shopping 1

200 million Prime customers are vulnerable to scammers, says Amazon

Google's advanced protection program now covers chrome

Actively exploited Chrome zero-day gets patched

This is an image of pirate flag 2344562 1280

FBI seizes multiple video game piracy websites

This is an image of cyber security hacked breach

US debt settlement firm suffers data breach; 160,000 customers affected

>