WrnRAT Disguised as Gambling Games

Short Summary:

AhnLab SEcurity intelligence Center (ASEC) has identified malware being distributed under the guise of gambling games. This malware, named WrnRAT, is designed to control infected systems and steal information. It is distributed through deceptive websites and disguised as various installers, including those for gambling games and computer optimization programs.

Key Points:

• Malware disguised as gambling games like badugi, 2-player go-stop, and hold’em.
• Threat actor created a fake gambling game website to distribute malware.
• Malware named WrnRAT can control infected systems and steal information.
• Distribution methods include using platforms like HFS and batch scripts with Korean comments.
• WrnRAT captures user screens and transmits system information.
• Users are advised to avoid downloading from suspicious sources and to keep security software updated.

MITRE ATT&CK TTPs – created by AI

• Command and Control (T1071)
  • WrnRAT transmits captured screen data and system information back to the threat actor.
• Credential Dumping (T1003)
  • WrnRAT may collect sensitive information from the infected system.
• Execution (T1203)
  • Malware is executed through deceptive installers like “Installer2.exe” and “Installer3.exe”.
• Persistence (T1053)
  • WrnRAT is designed to maintain persistence on the infected system.

AhnLab SEcurity intelligence Center (ASEC) recently discovered that malware was being distributed under the guise of gambling games such as badugi, 2-player go-stop, and hold’em. The threat actor created a website disguised as a gambling game site, and if the game launcher is downloaded, it installs malware that can control the infected system and steal information. The malware appears to have been created by the threat actor and is referred to as WrnRAT based on the strings used in its creation.

Figure 1. Deceitful page for downloading gambling games

The above case appears to be just one instance, and there is also evidence of distribution disguised as a computer optimization program. For the distribution of malware, platforms like HFS were used.

Figure 2. Platforms used for malware distribution

It is presumed that batch malware is initially installed, through which a dropper is installed. A characteristic of the batch script is that it contains comments written in Korean.

Figure 3. Batch installer

The dropper malware is distributed under names like “Installer2.exe”, “Installer3.exe”, and “installerABAB.exe”, and it was developed in .NET. When executed, the dropper creates a launcher and WrnRAT, executes WrnRAT using the launcher, and then deletes itself. WrnRAT is created in a path disguised as Internet Explorer under the name “iexplorer.exe”.

Figure 4. Dropper and launcher malware

WrnRAT is developed in Python and is distributed as an executable file using PyInstaller. The primary feature of WrnRAT is to transmit captures of the user’s screen, but it also supports sending basic system information and terminating specific processes. The threat actor is also creating and using additional malware that configures firewalls.

Table 1. Commands supported by WrnRAT

Figure 5. Configuration data of WrnRAT

Recently, malware disguised as gambling games such as badugi, 2-player go-stop, and hold’em is being distributed to steal information. The threat actor appears to be motivated by financial gain and targets users of gambling games to capture screenshots. As a result, the attacker can monitor the gameplay of gambling game users, and illegal game users may incur additional financial losses. Users should avoid downloading installers from illegal and suspicious sources. Also, V3 should be updated to the latest version so that malware infection can be prevented.

Source : https://asec.ahnlab.com/en/84086/