Notorious WrnRAT Delivered Mimic As Gambling Games

Oct. 30, 2024, 9:31 p.m.

Description

Cybersecurity analysts have uncovered a sophisticated malware operation targeting online gambling platforms. Threat actors are distributing the WrnRAT malware by disguising it as popular Korean gambling games. The multi-stage infection process involves a batch script, followed by a .NET-based dropper that installs and executes WrnRAT. The malware, developed using Python and packaged with PyInstaller, captures screenshots, collects system information, and can terminate specific processes. It also manipulates firewall configurations to evade detection. The primary motivation appears to be financial exploitation, with attackers potentially gaining unfair advantages in gambling activities by observing players' actions in real-time.

External References

https://cybersecuritynews.com/wrnrat-delivered-gambling-games/
https://otx.alienvault.com/pulse/67215472156c2fc47e6c2f3d
Tags
korea
gambling
screen capture
2024-10-29
pyinstaller
wrnrat
multi-stage infection
financial exploitation

Date

  • Created: Oct. 29, 2024, 9:32 p.m.
  • Published: Oct. 29, 2024, 9:32 p.m.
  • Modified: Oct. 30, 2024, 9:31 p.m.

Indicators

  • http://112.187.111.83:5723/installerABAB/installerABAB.exe
  • http://112.187.111.83:5723/installerABAB/installerABAB.cmd
  • http://112.187.111.83:5723/installerABAB/iexplore.exe
  • http://112.187.111.83:5723/installerABAB/MicrosoftEdgeUpdate.exe
  • http://112.187.111.83:5723/installerABAB/bound.exe
Download all indicators here!

Attack Patterns

  • WrnRAT
  • T1562.004
  • T1059.003
  • T1113
  • T1036.005
  • T1070.004
  • T1204.002
  • T1082
  • T1057
  • T1105
  • T1055
  • T1053

Additional Informations

  • Korea, Democratic People's Republic of
  • Korea, Republic of