Tuesday, December 24, 2024
HomeCyber AttackNotorious WrnRAT Delivered Mimic As Gambling Games

Notorious WrnRAT Delivered Mimic As Gambling Games

Published on

SIEM as a Service

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games like Badugi, Go-Stop, and Hold’em to disguise itself as a malicious program. 

The attackers created a fraudulent gambling website that, when accessed, prompts users to download a game launcher.

Instead of initiating the game, the launcher installs the malicious WrnRAT software. 

- Advertisement - SIEM as a Service

Once installed, WrnRAT grants attackers remote control over the infected system, enabling them to steal sensitive information and potentially execute further malicious actions. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Deceitful page for downloading gambling games
Deceitful page for downloading gambling games

Malware, likely initially installed through a Korean-commented batch script, is distributed via platforms like HFS.

HFS acts as a dropper, introducing additional malware into the system. The malware’s primary function appears to be data theft, and it could particularly target sensitive information.

The .NET-based dropper malware, disguised as installers, infiltrates systems. Upon execution, it spawns a launcher and the WrnRAT trojan, masking it as “iexplorer.exe” within an Internet Explorer directory. 

Platforms used for malware distribution
Platforms used for malware distribution

The launcher is responsible for initiating WrnRAT, which enables it to carry out malicious activities.

After that, the launcher self-destructs, leaving behind the stealthy WrnRAT trojan, which can compromise the system.

WrnRAT, a Python-based malware, is distributed as an executable file that primarily functions as a screen capture tool.

It transmits captured images to a remote server and is also capable of gathering fundamental system information and terminating particular processes. 

Dropper and launcher malware
Dropper and launcher malware

With the deployment of additional malware to manipulate firewall settings, the threat actor further enhances the attack, which may make it more difficult to detect and respond to the threat.

It is a remote access Trojan (RAT) capable of executing various malicious commands and can request and transmit system information, including IP address, MAC address, client ID, and gateway. 

Configuration data of WrnRAT
Configuration data of WrnRAT

It can also control screen capture functionality, including enabling or disabling monitoring and setting capture delay and quality by terminating specific target processes on the infected system.

Recent cyberattacks have targeted people who are interested in gambling games, specifically those who play 2-player go-stop, hold’em, and badugi, according to the ASEC. 

Malicious actors are distributing malware disguised as these games to steal sensitive information, including gameplay screenshots.

This allows attackers to monitor user activity, potentially leading to financial loss for both legitimate and illegitimate players. 

To mitigate this threat, users should exercise caution when downloading game installers, avoid suspicious sources, and keep antivirus software like V3 updated. This is crucial to ensure robust protection against such attacks.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...