GOM Player update served Miancha

GOM Player's Japanese update service was abused in late 2013 and early 2014. GRETECH initially warned that users who updated between December 27 and January 16 could have been infected; later investigation extended the exposure back to November 27. The issue became public after a system associated with the Monju fast breeder reactor was reported infected.

The delivery used trust, not novelty. A user ran the ordinary GOM Player update flow and was redirected to a third-party site. The downloaded file, GoMPLAYER_JPSETUP.EXE, was a RAR-packed executable that contained a legitimate GOM Player updater and another packed executable named GOMPLAYERBETASETUP_JP.EXE.

The second layer carried the malicious work. install.exe checked whether it was running on 32-bit or 64-bit Windows, decrypted dll.tmp or dll64.tmp with XOR key x14, wrote install.ocx, copied a matching PDF-like payload, and registered the OCX under a COM CLSID. It then restarted explorer.exe so the payload loaded inside Explorer.

Kaspersky detected the malware as Backdoor.Win32.Miancha.b. The payload extracted command-and-control data from marker strings at the end of the PDF-like file, decoded it, and used it for callback configuration. The compromise was narrow and effective: official updater, real installer, hidden backdoor.

Motive

Espionage

Attribution

State

Cause

Update Infrastructure Compromise

Transitive

No

Actor

Nation-state

• Abused Update of GOM Player Poses a Threatsecurelist.com
• GOM Player update server unauthorized access disclosedinternet.watch.impress.co.jp
• GRETECH publishes detailed investigation results on targeted attack abusing GOM Playerforest.watch.impress.co.jp
• Four Years of DarkSeoul Cyberattacks Against South Korea Continuesymantec.com
• South Korea malware watering holewelivesecurity.com