Hackers target gambling games primarily due to the lucrative financial opportunities they present. The online gambling industry is a rich territory for threat actors seeking to exploit vulnerabilities for “financial gain” and “data theft.”

Cybersecurity analysts at ASEC recently discovered that the threat actors have been actively distributing notorious WrnRAT by mimicking as gambling games.

ASEC recently uncovered a sophisticated malware operation where threat actors created misleading websites offering popular Korean gambling games like “badugi,” “2-player go-stop,” and “hold’em” to distribute malicious software.

Strategies to Defend Websites & APIs from Malware Attack -> Free Webinar

WrnRAT Delivered As Gambling Games

When users download what appears to be a game launcher, the system initiates a “multi-stage infection process” in which the batch script (containing Korean language comments) is executed first, followed by a “.NET-based dropper malware” (distributed under filenames like “Installer2.exe”, “Installer3.exe”, and “installerABAB.exe”) which installs and executes the main malicious payload known as “WrnRAT.” 

This dropper operates by creating both a launcher component and the WrnRAT malware itself, executing WrnRAT via the launcher, and then self-deleting to avoid detection. 

The final stage involves WrnRAT establishing itself in the system by disguising itself as “Internet Explorer,” creating a file named “iexplorer.exe” to blend in with legitimate system processes. 

The malware was also distributed through HFS platforms, sometimes masquerading as computer optimization software, demonstrating the threat actors’ diverse distribution strategies. 

Once successfully installed, WrnRAT grants attackers remote control capabilities over the infected system and enables them to steal sensitive information from the compromised machine.

WrnRAT is a sophisticated malware that was developed using the “Python programming language” and packaged into an executable file through “PyInstaller.” 

This RAT primarily functions by capturing and sharing “screenshots” from infected computers to the attacker’s system. 

Not only that even it also “collects essential system information” and has the capability to terminate specific “running processes.” 

The malware authors have expanded their arsenal by developing additional tools that manipulate “firewall configurations” to evade detection. 

Here the primary motivation of the threat actors appears to be “financial exploitation.” 

As they monitor victims’ gameplay via unauthorized “screenshots” that lead to significant “monetary losses,” particularly for users engaging in “illegal gambling platforms.” 

By observing “players’ hands,” “betting patterns,” and “strategies” in real-time via the screen capture functionality, threat actors can gain unfair advantages or steal sensitive information. 

Mitigations

Here below we have mentioned all the mitigations:-

• Download software from official stores and verified sources only.
• Make sure to have a robust AV solution. 
• Always keep your device updated with the latest security updates.

IoCs

MD5

0159b9367f0d0061287120f97ee55513
03896b657e434eb685e94c9a0df231a4
0725f072bcd9ca44a54a39dcec3b75d7
0d9e94a43117a087d456521abd7ebc03
1b8dfc3f131aaf091ba074a6e4f8bbe6

Additional IOCs are available on AhnLab TIP.URL

http[:]//112[.]187[.]111[.]83[:]5723/installerABAB/MicrosoftEdgeUpdate[.]exe
http[:]//112[.]187[.]111[.]83[:]5723/installerABAB/bound[.]exe
http[:]//112[.]187[.]111[.]83[:]5723/installerABAB/iexplore[.]exe
http[:]//112[.]187[.]111[.]83[:]5723/installerABAB/installerABAB[.]cmd
http[:]//112[.]187[.]111[.]83[:]5723/installerABAB/installerABAB[.]exe

Additional IOCs are available on AhnLab TIP.FQDN

aaba1[.]kro[.]kr
delete1[.]kro[.]kr
inddio23[.]kro[.]kr
nt89kro[.]kr
nt89s[.]kro[.]kr

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!