AhnLab Security Intelligence Center (ASEC) has uncovered a dangerous distribution campaign targeting Windows users through Korean web hard services.
Threat actors are leveraging xRAT (QuasarRAT) malware, disguising it as legitimate adult game content to deceive unsuspecting users into downloading and executing malicious files.
Korean webhard services have become a prime vector for malware distribution, with threat actors consistently exploiting their popularity among users.
The malicious actors behind this xRAT campaign follow a pattern that has been documented across multiple previous campaigns involving njRAT, Remcos, UDP Rat, Korat, and XWorm malware families.
By disguising payloads as legitimate software, games, and adult content, these threat actors maintain high infection rates while evading initial detection.
The Deceptive Distribution Mechanism
The attack begins when users download what appears to be an adult game from a compromised or fraudulent webhard post. Upon extraction, the ZIP file contains seemingly innocuous files, including “Game.exe,” “Data1.Pak,” “Data2.Pak,” and “Data3.Pak.”
Users naturally execute “Game.exe” expecting the game to launch. However, this executable serves as a malicious launcher rather than the actual game application.
The initial launcher executes the genuine game launcher from “Data1.Pak,” creating a false sense of legitimacy.
While the game runs, the malware silently deploys in the background a sophisticated social engineering technique that keeps users unaware of the infection.
When users click the “Game Play!” button, the malware initiates its infection chain.
The launcher copies files to hidden system directories: “Data1.Pak” becomes “Play.exe” in the “Locales_module” folder, while “Data2.Pak” and “Data3.Pak” are relocated to “C:Users[User Account Name]AppDataLocalMicrosoftWindowsExplorer” with the names “GoogleUpdate.exe” and “WinUpdate.db” respectively.
The “GoogleUpdate.exe” component performs critical malicious operations. It locates “WinUpdate.db” and applies AES-based decryption to extract the final shellcode payload.
Notably, this component patches the EtwEventWrite() function in explorer.exe with a 0xC3 (RET) instruction, effectively turning off Event Tracing for Windows (ETW) event logging a key defense mechanism that security tools rely upon for threat detection.
xRAT Capabilities and Impact
The final payload injected into explorer.exe is xRAT, also known as QuasarRAT, an open-source remote access trojan with extensive malicious capabilities.
Once activated, xRAT can collect sensitive system information, perform keystroke logging to capture credentials and sensitive data, and download or upload files on the compromised system.
These capabilities make xRAT a serious threat to both individual users and organizational security.
Given the active distribution of malware through Korean webhard services and similar file-sharing platforms, users must exercise extreme caution when downloading executable files from these sources.
The primary defense strategy involves obtaining software exclusively from official vendor websites rather than third-party file-sharing platforms.
Security teams should implement endpoint detection and response (EDR) solutions and keep systems updated with the latest security patches.
AhnLab has provided the following detection signatures: File Detection includes Data/Bin.Shellcode, Trojan/Win.Agent.C5834849, Trojan/Win.Loader.C5834845, and Trojan/Win32.Subti.C1663822. Behavior Detection includes Malware/MDP.Behavior.M1839.
The persistence of webhard-based malware distribution underscores the importance of user awareness and maintaining strict software sourcing practices in the ongoing battle against cyber threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.