WarZone | |
Type of Malware | Trojan |
Country of Origin | Russia |
Date of initial activity | 2018 |
Targeted Countries | India |
Addittional Names | Ave Maria |
Associated Groups | Confucius APT |
Motivation | Data Theftt |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Type of information Stolen | Browser Data |
Overview
Warzone RAT, also known as Ave Maria, has emerged as one of the most formidable remote access trojans (RATs) in recent years. Discovered in January 2019, this malware-as-a-service (MaaS) quickly garnered attention for its sophisticated capabilities and widespread deployment. Warzone RAT is designed primarily for information theft, offering attackers a range of advanced functionalities, including remote desktop access, keylogging, and system monitoring. Its stealthy nature and anti-analysis features make it a particularly challenging threat for cybersecurity professionals.
Marketed under the guise of a legitimate IT administration tool, Warzone RAT is maintained by an individual known as Solmyr, who offers it for sale through an official website. The malware’s affordability—starting at $37.95 per month—and the availability of cracked versions on darknet forums have contributed to its rapid proliferation. Warzone RAT is sold in various license options, including monthly and yearly plans, and even includes advanced features like a rootkit in its “Poison” version. This pricing structure and the ease of access have made Warzone a popular choice among cybercriminals.
Targets
The Warzone RAT has targeted a range of entities, including:
Government Employees – Notably, individuals working for India’s National Informatics Centre (NIC).
Military Personnel – Targets have included military staff, particularly those associated with South Asian countries.
Geopolitical Figures – The malware has been used in campaigns against geopolitical figures and entities in South Asian countries.
Individuals and Organizations – General targets through phishing campaigns, including users in Hungary via spoofed government communications.
How they operate
Initial Infection and Delivery
Warzone RAT employs various techniques to establish a foothold on target systems, with its distribution methods reflecting its adaptability and persistence. The malware is often delivered via embedded Microsoft Office macros, which exploit vulnerabilities in Office documents to execute malicious code. In addition, Warzone can be packaged within compressed archives (.rar, .zip) or disk image files (.iso) disguised as legitimate software. The use of VBA-stomping, a technique that compiles macro scripts into P-code to evade antivirus detection, further enhances its delivery efficacy. Once on the victim’s machine, Warzone gains persistence by creating a Windows registry key that ensures its execution upon system startup.
Operational Capabilities
Upon successful installation, Warzone RAT activates its extensive suite of capabilities. The malware can execute remote desktop operations, utilizing both VNC and RDPWrap for stealthy remote control. Its hidden virtual network computing (hVNC) functionality allows attackers to operate in a concealed desktop environment, circumventing user detection. Warzone also employs real-time keylogging and webcam recording to gather sensitive information. Its credential-stealing capabilities extend to major browsers and email clients, including Chrome, Firefox, Edge, and Outlook, making it a potent tool for data exfiltration.
Persistence and Evasion
Warzone RAT’s persistence mechanisms involve more than just registry key modifications. It leverages older DLL hijacking techniques for User Account Control (UAC) bypass, facilitating privilege escalation and maintaining long-term access. To evade detection, Warzone employs various obfuscation methods, including encrypted and packed payloads designed to bypass traditional antivirus solutions. The malware’s capability to exploit known vulnerabilities, such as CVE-2017-11882 and CVE-2018-0802, further enhances its effectiveness in compromising systems.
Command and Control
Warzone’s command and control (C2) operations are structured to ensure robust communication channels between the malware and its operators. The RAT frequently uses dynamic domain name system (DDNS) services to obscure the location of its C2 servers, making it difficult for defenders to pinpoint and block malicious traffic. Additionally, Warzone’s deployment methods involve various C2 communication protocols, including non-standard ports and application layer protocols, which help to further evade network security measures.
MITRE Tactics and Techniques
Initial Access
T1193: Spear Phishing Attachment
T1203: Exploitation for Client Execution
Execution
T1204: User Execution
T1064: Scripting
Persistence
T1547: Boot or Logon Autostart Execution
T1136: Create Account
Privilege Escalation
T1088: Bypass User Account Control
T1068: Exploitation for Privilege Escalation
Defense Evasion
T1027: Obfuscated Files or Information
T1070: Indicator Removal on Host
Credential Access
T1003: Credential Dumping
Collection
T1113: Screen Capture
T1056: Input Capture
Command and Control
T1071: Application Layer Protocol
T1095: Non-Standard Port
