WarZone (Trojan) – Malware

Overview

Warzone RAT, also known as Ave Maria, has emerged as one of the most formidable remote access trojans (RATs) in recent years. Discovered in January 2019, this malware-as-a-service (MaaS) quickly garnered attention for its sophisticated capabilities and widespread deployment. Warzone RAT is designed primarily for information theft, offering attackers a range of advanced functionalities, including remote desktop access, keylogging, and system monitoring. Its stealthy nature and anti-analysis features make it a particularly challenging threat for cybersecurity professionals. Marketed under the guise of a legitimate IT administration tool, Warzone RAT is maintained by an individual known as Solmyr, who offers it for sale through an official website. The malware’s affordability—starting at $37.95 per month—and the availability of cracked versions on darknet forums have contributed to its rapid proliferation. Warzone RAT is sold in various license options, including monthly and yearly plans, and even includes advanced features like a rootkit in its “Poison” version. This pricing structure and the ease of access have made Warzone a popular choice among cybercriminals.

Targets

The Warzone RAT has targeted a range of entities, including: Government Employees – Notably, individuals working for India’s National Informatics Centre (NIC). Military Personnel – Targets have included military staff, particularly those associated with South Asian countries. Geopolitical Figures – The malware has been used in campaigns against geopolitical figures and entities in South Asian countries. Individuals and Organizations – General targets through phishing campaigns, including users in Hungary via spoofed government communications.

How they operate

Initial Infection and Delivery Warzone RAT employs various techniques to establish a foothold on target systems, with its distribution methods reflecting its adaptability and persistence. The malware is often delivered via embedded Microsoft Office macros, which exploit vulnerabilities in Office documents to execute malicious code. In addition, Warzone can be packaged within compressed archives (.rar, .zip) or disk image files (.iso) disguised as legitimate software. The use of VBA-stomping, a technique that compiles macro scripts into P-code to evade antivirus detection, further enhances its delivery efficacy. Once on the victim’s machine, Warzone gains persistence by creating a Windows registry key that ensures its execution upon system startup. Operational Capabilities Upon successful installation, Warzone RAT activates its extensive suite of capabilities. The malware can execute remote desktop operations, utilizing both VNC and RDPWrap for stealthy remote control. Its hidden virtual network computing (hVNC) functionality allows attackers to operate in a concealed desktop environment, circumventing user detection. Warzone also employs real-time keylogging and webcam recording to gather sensitive information. Its credential-stealing capabilities extend to major browsers and email clients, including Chrome, Firefox, Edge, and Outlook, making it a potent tool for data exfiltration. Persistence and Evasion Warzone RAT’s persistence mechanisms involve more than just registry key modifications. It leverages older DLL hijacking techniques for User Account Control (UAC) bypass, facilitating privilege escalation and maintaining long-term access. To evade detection, Warzone employs various obfuscation methods, including encrypted and packed payloads designed to bypass traditional antivirus solutions. The malware’s capability to exploit known vulnerabilities, such as CVE-2017-11882 and CVE-2018-0802, further enhances its effectiveness in compromising systems. Command and Control Warzone’s command and control (C2) operations are structured to ensure robust communication channels between the malware and its operators. The RAT frequently uses dynamic domain name system (DDNS) services to obscure the location of its C2 servers, making it difficult for defenders to pinpoint and block malicious traffic. Additionally, Warzone’s deployment methods involve various C2 communication protocols, including non-standard ports and application layer protocols, which help to further evade network security measures.

MITRE Tactics and Techniques

Initial Access T1193: Spear Phishing Attachment T1203: Exploitation for Client Execution Execution T1204: User Execution T1064: Scripting Persistence T1547: Boot or Logon Autostart Execution T1136: Create Account Privilege Escalation T1088: Bypass User Account Control T1068: Exploitation for Privilege Escalation Defense Evasion T1027: Obfuscated Files or Information T1070: Indicator Removal on Host Credential Access T1003: Credential Dumping Collection T1113: Screen Capture T1056: Input Capture Command and Control T1071: Application Layer Protocol T1095: Non-Standard Port

References

• WarZone
• What Is Warzone RAT?