ASEC identifies WrnRAT malware distributed as gambling games, capable of controlling infected systems and stealing information. It spreads through fake gambling sites and deceptive installers, including batch scripts with Korean comments, and uses platforms like HFS for distribution. #WrnRAT #AhnLab #HFS #Badugi #GoStop #Holdem
Keypoints
- Malware is disguised as gambling games such as badugi, 2-player go-stop, and hold’em.
- A fake gambling game website was created to distribute the malware.
- WrnRAT can control the infected system and steal information.
- Distribution uses platforms like HFS and batch scripts with Korean comments.
- WrnRAT captures the user’s screen and transmits system information.
- Users are advised to avoid suspicious installers and keep security software updated.
MITRE Techniques
- [T1071] Command and Control – WrnRAT transmits captured screen data and system information back to the threat actor. ‘transmits captured screen data and system information back to the threat actor’
- [T1003] Credential Dumping – WrnRAT may collect sensitive information from the infected system. ‘WrnRAT may collect sensitive information from the infected system’
- [T1203] Execution – Malware is executed through deceptive installers like “Installer2.exe” and “Installer3.exe”. ‘Malware is executed through deceptive installers like “Installer2.exe” and “Installer3.exe”‘
- [T1053] Persistence – WrnRAT is designed to maintain persistence on the infected system. ‘WrnRAT is designed to maintain persistence on the infected system’
Indicators of Compromise
- [MD5] context – 0159b9367f0d0061287120f97ee55513, 03896b657e434eb685e94c9a0df231a4, and 3 more hashes
- [URL] context – http[:]//112[.]187[.]111[.]83[:]5723/installerABAB/MicrosoftEdgeUpdate[.]exe, http[:]//112[.]187[.]111[.]83[:]5723/installerABAB/bound[.]exe, and 3 more URLs
- [FQDN] context – aaba1[.]kro[.]kr, delete1[.]kro[.]kr, and 3 more
- [IP] context – 160[.]251[.]93[.]181
Read more: https://asec.ahnlab.com/en/84086/