Notorious WrnRAT Delivered Mimic As Gambling Games
Oct. 30, 2024, 9:31 p.m.
Tags
External References
Description
Cybersecurity analysts have uncovered a sophisticated malware operation targeting online gambling platforms. Threat actors are distributing the WrnRAT malware by disguising it as popular Korean gambling games. The multi-stage infection process involves a batch script, followed by a .NET-based dropper that installs and executes WrnRAT. The malware, developed using Python and packaged with PyInstaller, captures screenshots, collects system information, and can terminate specific processes. It also manipulates firewall configurations to evade detection. The primary motivation appears to be financial exploitation, with attackers potentially gaining unfair advantages in gambling activities by observing players' actions in real-time.
Date
Published: Oct. 29, 2024, 9:32 p.m.
Created: Oct. 29, 2024, 9:32 p.m.
Modified: Oct. 30, 2024, 9:31 p.m.
Indicators
http://112.187.111.83:5723/installerABAB/installerABAB.exe
http://112.187.111.83:5723/installerABAB/installerABAB.cmd
http://112.187.111.83:5723/installerABAB/iexplore.exe
http://112.187.111.83:5723/installerABAB/MicrosoftEdgeUpdate.exe
http://112.187.111.83:5723/installerABAB/bound.exe
Attack Patterns
WrnRAT
T1562.004
T1059.003
T1113
T1036.005
T1070.004
T1204.002
T1082
T1057
T1105
T1055
T1053
Additional Informations
Korea, Democratic People's Republic of
Korea, Republic of