The DoubleGuns botnet has become one of the most significant malware of its category in China. It has developed into a major threat in the past few years and has already caused numerous infections to thousands of computers.
DoubleGuns Botnet Emerges as One Of The Leading Threats in China
Chinese users are one of the most targeted by malware as there are many campaigns that are tailor-made against them. The DoubleGuns It has grown to be a leading malware which has become a very dangerous threat.
It has been active since at least 2017 where the first samples of it were identified. Over the years the hacking group(s) which are behind it have used various strategies in order to infect the target users. Overall all computer users are affected, a particular emphasis on a certain type of user has not been found. The main distribution tactic relies on creating infected applications and files that include the main malicious executable. Common examples include the following:
- Macro-Infected Documents — They can be of all popular types: text documents, presentations, spreadsheets and databases. As soon as they are opened by the victims a window will appear asking them to run the included scripts. This will trigger the malware installation.
- Individual Files — The virus code can be implanted in individual files such as patches, add-ons, executables and “cracks”.
- App Installers — Many virus infections are done by integrating the necessary malware code in software setup bundles. They include popular applications which are often installed by end users: creativity suites, system utilities, productivity tools and etc.
As soon as one of the samples has infected a Windows computer the included built-in behavior sequence will be run. As many of the infections are done by downloading and running pirate copies of popular games and applications, the actions will be run immediately. A dangerous malware action which is run is the MBR infection — this will replace the master boot record of the affected computers. This can replace the ordinary boot options, make it impossible to enter into recovery menus and etc.
A related action is the replacement of device drivers which will allow for a deep Trojan-like infection into the operating system. Device drivers are an essential part of every Windows computer and such actions can allow the malicious engine to hook up to system applications and important services. Information gathering is done using these methods. The obtained data can reveal personal information about the users, machine metrics and stored credentials. A particular emphasis is done on Steam account information — the data will be hijacked from the installed game client service.
The DoubleGuns Botnet when installed locally will also implement a adware module. This will deploy intrusive ads and spam content to the visitors. Common examples can be phishing landing pages or affiliate links to products and services. The prepared content can be launched in browser windows or when these software are launched. The common method is to replace the default settings which will lead to redirects to such pages. The victims will be scammed into believing that they are accessing a legitimate service or company page.
The DoubleGuns botnet when installed on a given computer will also hijack web traffic — this can include page visits to online services, emails, communications with friends and family and etc.
The number of DoubleGuns botnet victims grows exponentially as more and more computers are recruited into it. All infected hosts will communicate with a prescribed hacker-controlled server which will keep track of the number of contaminated hosts. Their concentrated resources can then be further used for other nefarious purposes such as distributed denial-of-service attacks and sabotage operations.