WrnRAT Distributed Under the Guise of Gambling Games
AhnLab SEcurity intelligence Center (ASEC) recently discovered that malware was being distributed under the guise of gambling games such as badugi, 2-player go-stop, and hold’em. The threat actor created a website disguised as a gambling game site, and if the game launcher is downloaded, it installs malware that can control the infected system and steal information. The malware appears to have been created by the threat actor and is referred to as WrnRAT based on the strings used in its creation.
Figure 1. Deceitful page for downloading gambling games
The above case appears to be just one instance, and there is also evidence of distribution disguised as a computer optimization program. For the distribution of malware, platforms like HFS were used.
Figure 2. Platforms used for malware distribution
It is presumed that batch malware is initially installed, through which a dropper is installed. A characteristic of the batch script is that it contains comments written in Korean.
Figure 3. Batch installer
The dropper malware is distributed under names like “Installer2.exe”, “Installer3.exe”, and “installerABAB.exe”, and it was developed in .NET. When executed, the dropper creates a launcher and WrnRAT, executes WrnRAT using the launcher, and then deletes itself. WrnRAT is created in a path disguised as Internet Explorer under the name “iexplorer.exe”.
Figure 4. Dropper and launcher malware
WrnRAT is developed in Python and is distributed as an executable file using PyInstaller. The primary feature of WrnRAT is to transmit captures of the user’s screen, but it also supports sending basic system information and terminating specific processes. The threat actor is also creating and using additional malware that configures firewalls.
| Command | Function |
|---|---|
| PC_INFO_REQ | Transmit system information (IP, MAC address, Client ID, gateway) |
| SET_MONITOR_STATE | Configure monitoring state (screen capture) |
| KILL_PROCESS_REQ | Terminate target process |
| SET_CAPTURE_DELAY | Configure screen capture delay time |
| SET_CAPTURE_QUALITY | Configure screen capture quality |
Table 1. Commands supported by WrnRAT
Figure 5. Configuration data of WrnRAT
Recently, malware disguised as gambling games such as badugi, 2-player go-stop, and hold’em is being distributed to steal information. The threat actor appears to be motivated by financial gain and targets users of gambling games to capture screenshots. As a result, the attacker can monitor the gameplay of gambling game users, and illegal game users may incur additional financial losses. Users should avoid downloading installers from illegal and suspicious sources. Also, V3 should be updated to the latest version so that malware infection can be prevented.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
