{"id":197,"date":"2025-05-20T12:01:16","date_gmt":"2025-05-20T12:01:16","guid":{"rendered":"http:\/\/inforb-test1.certsign.ro:8080\/?p=197"},"modified":"2025-05-26T08:13:05","modified_gmt":"2025-05-26T08:13:05","slug":"notorious-wrnrat-delivered-mimic-as-gambling-games","status":"publish","type":"post","link":"https:\/\/inforb.ro\/en\/notorious-wrnrat-delivered-mimic-as-gambling-games\/","title":{"rendered":"WrnRAT infamously delivered in the form of gambling games"},"content":{"rendered":"

Hackers primarily target gambling due to the profitable financial opportunities it offers. The online gambling industry is a fertile ground for malicious actors seeking to exploit vulnerabilities for financial gain and data theft.<\/p>\n\n\n\n

Cybersecurity analysts from ASEC recently discovered that threat actors have been actively distributing the infamous WrnRAT, disguising it as gambling games.<\/p>\n\n\n\n

ASEC recently uncovered a sophisticated malware operation in which malicious actors created deceptive websites offering popular Korean gambling games such as \u201cbadugi,\u201d \u201ctwo-player go-stop,\u201d and \u201chold\u2019em\u201d to distribute malicious software.<\/p>\n\n\n\n

WrnRAT Delivered in the Form of Gambling Games<\/strong><\/h2>\n\n\n\n

When users download what appears to be a game launcher, the system initiates a multi-stage infection process<\/strong>, in which a batch script (containing comments in Korean) is executed first, followed by a .NET-based malware dropper (distributed under filenames such as \u201cInstaller2.exe\u201d<\/em>, \u201cInstaller3.exe\u201d<\/em>, and \u201cinstallerABAB.exe\u201d<\/em>). This dropper installs and executes the main malicious payload known as \u201cWrnRAT.\u201d<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Deceptive page for downloading gambling games (Source \u2013 ASEC)<\/p>\n\n\n\n

This dropper operates by creating both a launcher component and the actual WrnRAT malware, executing WrnRAT through the launcher, and then self-destructing to evade detection.<\/p>\n\n\n\n

In the final stage, WrnRAT installs itself on the system, disguising itself as \u201cInternet Explorer\u201d by creating a file named \u201ciexplorer.exe\u201d to blend in with legitimate system processes.<\/p>\n\n\n\n

The malware was also distributed through HFS platforms, sometimes posing as computer optimization software, demonstrating the attackers\u2019 varied distribution strategies.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Platforms used for malware distribution (Source \u2013 ASEC)<\/p>\n\n\n\n

Once successfully installed, WrnRAT provides attackers with remote control over the infected system and allows them to steal sensitive information from the compromised machine.<\/p>\n\n\n\n

WrnRAT is a sophisticated malware developed using the Python programming language and packaged into an executable file using PyInstaller.<\/p>\n\n\n\n

This RAT primarily operates by capturing and transmitting screenshots from infected computers to the attacker\u2019s system.<\/p>\n\n\n\n

Moreover, it collects essential system information and has the capability to terminate certain active processes.<\/p>\n\n\n\n

The malware authors have expanded their toolkit by developing additional tools that modify firewall configurations to evade detection.<\/p>\n\n\n\n

The primary motivation of these malicious actors appears to be financial exploitation.<\/p>\n\n\n\n

They monitor users\u2019 games through unauthorized screenshots, leading to significant financial losses, especially for users accessing illegal gambling platforms.<\/p>\n\n\n\n

By observing players' hands, betting patterns, and strategies in real time using the screenshot capture functionality, attackers can gain unfair advantages or steal sensitive information.<\/p>\n\n\n\n

Preventive Measures<\/strong><\/h2>\n\n\n\n

Here are some essential preventive measures:<\/p>\n\n\n\n