Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games like Badugi, Go-Stop, and Hold’em to disguise itself as a malicious program. 

The attackers created a fraudulent gambling website that, when accessed, prompts users to download a game launcher.

Instead of initiating the game, the launcher installs the malicious WrnRAT software. 

Once installed, WrnRAT grants attackers remote control over the infected system, enabling them to steal sensitive information and potentially execute further malicious actions. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Malware, likely initially installed through a Korean-commented batch script, is distributed via platforms like HFS.

HFS acts as a dropper, introducing additional malware into the system. The malware’s primary function appears to be data theft, and it could particularly target sensitive information.

The .NET-based dropper malware, disguised as installers, infiltrates systems. Upon execution, it spawns a launcher and the WrnRAT trojan, masking it as “iexplorer.exe” within an Internet Explorer directory. 

The launcher is responsible for initiating WrnRAT, which enables it to carry out malicious activities.

After that, the launcher self-destructs, leaving behind the stealthy WrnRAT trojan, which can compromise the system.

WrnRAT, a Python-based malware, is distributed as an executable file that primarily functions as a screen capture tool.

It transmits captured images to a remote server and is also capable of gathering fundamental system information and terminating particular processes. 

With the deployment of additional malware to manipulate firewall settings, the threat actor further enhances the attack, which may make it more difficult to detect and respond to the threat.

It is a remote access Trojan (RAT) capable of executing various malicious commands and can request and transmit system information, including IP address, MAC address, client ID, and gateway. 

It can also control screen capture functionality, including enabling or disabling monitoring and setting capture delay and quality by terminating specific target processes on the infected system.

Recent cyberattacks have targeted people who are interested in gambling games, specifically those who play 2-player go-stop, hold’em, and badugi, according to the ASEC. 

Malicious actors are distributing malware disguised as these games to steal sensitive information, including gameplay screenshots.

This allows attackers to monitor user activity, potentially leading to financial loss for both legitimate and illegitimate players. 

To mitigate this threat, users should exercise caution when downloading game installers, avoid suspicious sources, and keep antivirus software like V3 updated. This is crucial to ensure robust protection against such attacks.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!