⚠️Today : 0 critical vulnerabilities | 0 high vulnerabilities | 3 medium vulnerabilities | 0 low vulnerabilities - You can now download lists of IOCs here !

Notorious WrnRAT Delivered Mimic As Gambling Games

Oct. 30, 2024, 9:31 p.m.

Tags
korea
gambling
screen capture
2024-10-29
pyinstaller
wrnrat
multi-stage infection
financial exploitation
External References
Description

Cybersecurity analysts have uncovered a sophisticated malware operation targeting online gambling platforms. Threat actors are distributing the WrnRAT malware by disguising it as popular Korean gambling games. The multi-stage infection process involves a batch script, followed by a .NET-based dropper that installs and executes WrnRAT. The malware, developed using Python and packaged with PyInstaller, captures screenshots, collects system information, and can terminate specific processes. It also manipulates firewall configurations to evade detection. The primary motivation appears to be financial exploitation, with attackers potentially gaining unfair advantages in gambling activities by observing players' actions in real-time.

Date

Published: Oct. 29, 2024, 9:32 p.m.

Created: Oct. 29, 2024, 9:32 p.m.

Modified: Oct. 30, 2024, 9:31 p.m.

Indicators

http://112.187.111.83:5723/installerABAB/installerABAB.exe

http://112.187.111.83:5723/installerABAB/installerABAB.cmd

http://112.187.111.83:5723/installerABAB/iexplore.exe

http://112.187.111.83:5723/installerABAB/MicrosoftEdgeUpdate.exe

http://112.187.111.83:5723/installerABAB/bound.exe

Download all indicators here!

Attack Patterns

WrnRAT

T1562.004

T1059.003

T1113

T1036.005

T1070.004

T1204.002

T1082

T1057

T1105

T1055

T1053

Additional Informations

Korea, Democratic People's Republic of

Korea, Republic of