Recent discoveries suggest that malicious software is being disseminated on the internet under the guise of application launchers for gambling games.
Downloading these malicious launchers, which were developed by the threat actor, results in the installation of WrnRAT, which enables remote controlled access to the system as well as the theft of data.
The malware, disguised as a computer optimization program, was distributed via platforms like HFS, indicating a broader distribution strategy beyond the single instance mentioned.
Initial malware infection occurs through a batch script containing Korean comments, which serves as a dropper, installing subsequent malicious payloads onto the compromised system.
A WrnRAT trojan that is disguised as Internet Explorer is deployed by the.NET-based dropper malware, which is disguised as installers but actually deploys itself.
Launching the trojan and then destroying itself, the dropper leaves the malicious payload running on the system after it has finished its mission.
The malicious software known as WrnRAT, which is written in Python, is distributed in the form of an executable and makes use of PyInstaller.
It primarily functions to capture and transmit the user’s screen activity, additionally capable of sending system information and terminating processes. The threat actor further deploys additional malware to manipulate firewall settings.
WrnRAT offers a suite of remote control functionalities, including information gathering (IP, MAC, Client ID, gateway), real-time monitoring (screen capture, delay, and quality control), and process termination.
For the purpose of stealing user information, malicious software that is disguised as popular gambling games such as Badugi, 2-player Go-Stop, and Hold’em is currently circulating.
According to ASEC, this malware, likely motivated by financial gain, captures screenshots of gameplay, potentially exposing sensitive information and leading to further financial losses.
It is important for users to exercise caution when downloading software from unreliable sources and to make sure that their antivirus software is up-to-date in order to reduce the risk of infection.
The provided IOCs indicate a malicious campaign likely involving a malware infection, where the MD5 hashes correspond to malicious files, and the URLs and FQDNs are associated with the attack infrastructure, potentially used for command and control or distributing the malware.
