Monday, February 17, 2025
HomeCyber AttackNotorious WrnRAT Delivered Mimic As Gambling Games

Notorious WrnRAT Delivered Mimic As Gambling Games

Published on

SIEM as a Service

Follow Us on Google News

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games like Badugi, Go-Stop, and Hold’em to disguise itself as a malicious program. 

The attackers created a fraudulent gambling website that, when accessed, prompts users to download a game launcher.

Instead of initiating the game, the launcher installs the malicious WrnRAT software. 

Once installed, WrnRAT grants attackers remote control over the infected system, enabling them to steal sensitive information and potentially execute further malicious actions. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Deceitful page for downloading gambling games
Deceitful page for downloading gambling games

Malware, likely initially installed through a Korean-commented batch script, is distributed via platforms like HFS.

HFS acts as a dropper, introducing additional malware into the system. The malware’s primary function appears to be data theft, and it could particularly target sensitive information.

The .NET-based dropper malware, disguised as installers, infiltrates systems. Upon execution, it spawns a launcher and the WrnRAT trojan, masking it as “iexplorer.exe” within an Internet Explorer directory. 

Platforms used for malware distribution
Platforms used for malware distribution

The launcher is responsible for initiating WrnRAT, which enables it to carry out malicious activities.

After that, the launcher self-destructs, leaving behind the stealthy WrnRAT trojan, which can compromise the system.

WrnRAT, a Python-based malware, is distributed as an executable file that primarily functions as a screen capture tool.

It transmits captured images to a remote server and is also capable of gathering fundamental system information and terminating particular processes. 

Dropper and launcher malware
Dropper and launcher malware

With the deployment of additional malware to manipulate firewall settings, the threat actor further enhances the attack, which may make it more difficult to detect and respond to the threat.

It is a remote access Trojan (RAT) capable of executing various malicious commands and can request and transmit system information, including IP address, MAC address, client ID, and gateway. 

Configuration data of WrnRAT
Configuration data of WrnRAT

It can also control screen capture functionality, including enabling or disabling monitoring and setting capture delay and quality by terminating specific target processes on the infected system.

Recent cyberattacks have targeted people who are interested in gambling games, specifically those who play 2-player go-stop, hold’em, and badugi, according to the ASEC. 

Malicious actors are distributing malware disguised as these games to steal sensitive information, including gameplay screenshots.

This allows attackers to monitor user activity, potentially leading to financial loss for both legitimate and illegitimate players. 

To mitigate this threat, users should exercise caution when downloading game installers, avoid suspicious sources, and keep antivirus software like V3 updated. This is crucial to ensure robust protection against such attacks.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection

Ransomware gangs are accelerating their operations, with the average time-to-ransom (TTR), the period between...

Stealthy Malware in WordPress Sites Enables Remote Code Execution by Hackers

Security researchers have uncovered sophisticated malware targeting WordPress websites, leveraging hidden backdoors to enable...

Xerox Printer Vulnerability Exposes Authentication Data Via LDAP and SMB

A critical security vulnerability in Xerox’s Versalink C7025 Multifunction Printer (MFP) has been uncovered,...

New XCSSET Malware Targets macOS Users Through Infected Xcode Projects

Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS malware, marking...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection

Ransomware gangs are accelerating their operations, with the average time-to-ransom (TTR), the period between...

Stealthy Malware in WordPress Sites Enables Remote Code Execution by Hackers

Security researchers have uncovered sophisticated malware targeting WordPress websites, leveraging hidden backdoors to enable...

Xerox Printer Vulnerability Exposes Authentication Data Via LDAP and SMB

A critical security vulnerability in Xerox’s Versalink C7025 Multifunction Printer (MFP) has been uncovered,...