BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
27
Global rank
52 infographic chevron month
Month rank
51 infographic chevron week
Week rank
392
IOCs

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

Remote Access Trojan
Type
Ex-USSR
Origin
4 December, 2018
First seen
16 June, 2024
Last seen
Also known as
AVE_MARIA
Ave Maria

How to analyze WarZone with ANY.RUN

Remote Access Trojan
Type
Ex-USSR
Origin
4 December, 2018
First seen
16 June, 2024
Last seen

IOCs

Hashes
fd770dfea61dde4dde009e95f4a4ea966ff588ee181a8afb1bb730803912dd73
d5018528f917c871dd60bdc52d3e21ca345386637ba0dfbb8049eb89321d802a
a565630d44c3226052705000037a19cb45da97fc52f4b2a8ade6624075b1afe3
6e48830bab5700edce7115bef9f50fe621521564805c21f056f0529843a23ca7
3ec75aa62228c2043c7834516a087d14fb0ff1cf89a060edb10cbd3e296e3fc4
c764ae8c562868bee836b3e84279900fd6933910f01584ec94428c56fc2bcadd
e6df4f343401f5c3c79228940acc0dcadcd655e1e0e8010f9f67eb946d67e94a
61ab41898bd0502de88eb311c921e19ebe32c9d8061e34d11851d38a9ec1b1bd
1c9d339f96c25b3b8d06131a49e09169d42d663a3499eb870f8dee021497b8b5
135ffbb4dc1ea1e6115475629f12530c5e3191b5b42b78e4f6c3b1022508ed82
f83914dd2ce0c31fda44574ae93ecdd188e9e974d0a45b619b03db7e3d279208
ccc96a6e23372009897887bc7ee8593ab1f0713d093d002148fea025fffca846
3c4d55297278d1e2d4393d4b65f6ed5a4d88ebf590677521e95f084bab83b6bb
a6d87b3bf56abc13aacfdcb260cb448d8dfa2c36a3d28a2d3adc441e5a73d6cd
0ad6215d8e2b8cf7d275fe373cf57b29d1c43ad59e6cb84accb8d8c39f97dc9d
c36284bc37b2aaf39d2e911ef97aac1fa583ca30d90f2cd006635f8f5bf0d7e1
6d941754a2209cf2052447b315f065c263a98c8b248df71fa7ef8ea4d419f1c5
675031e66f09b7272a97ee19171d82d6f33e818f2b76164805759ac1177e7f31
8f3e609007588fd586e007b24b61283ddb87946651ed2e51f3234dd4abbad321
137ea4fbeec2ecf11e76039af55b54b06f25c03bd3d68112b0fd413578dd93da
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 142
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 188
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 339
comments 0

What is WarZone RAT malware?

WarZoneRAT is a remote access trojan (RAT) that has been distributed via the malware-as-a-service (MaaS) model since 2018 on both Clearnet and Darknet.

The range of capabilities of the malware includes information stealing, infected systems manipulation, and initiation of targeted attacks against organizations. Easy accessibility, frequent updates, and the ever-expanding set of features make WarZone RAT one of the most prevalent RATs in the global threat landscape.

When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control. According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

WarZoneRAT uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of WarZoneRAT

WarZoneRAT operates by infiltrating a target's computer through a range of techniques, such as phishing emails. Once installed, it establishes an encrypted link with its command and control (C2) server, allowing the attacker to manage the compromised computer from a remote location.

The malware is equipped with a broad selection of features, some of which include:

  • Hidden remote access: Attackers can gain full control of the victim's machine to manipulate it and steal data, while staying completely invisible.
  • Password recovery: The malware is capable of extracting passwords from popular browsers and email clients.
  • File management: Malicious actors can interact with the infected computer’s file management system by uploading and downloading files, especially different kinds of payload, as well as executing them.
  • Offline keylogging: WarZoneRAT can record keystrokes, making it easy for hackers to discover sensitive information entered by the victim, including passwords and credit card numbers.
  • Screen capturing: The program can be configured to monitor desktop activity and take screenshots.
  • Updates: It can receive updates from its C2, thus evolving and utilizing new tools to circumvent security infrastructure.

One noteworthy aspect of WarZone RAT is its use of C++. While many RATs are built with .NET Framework (e.g., njRAT), which limits their operation to MS Windows, WarZoneRAT can function on any system with a C++ compiler.

The malware also implements obfuscation and evasion techniques to make detection a challenge. For instance, WarZone RAT can bypass User Account Control (UAC) to escalate privileges, installing itself on the victim's system. It also leverages process hollowing, which involves executing malicious binary as part of a legitimate process. Additionally, it makes use of anti-debugging mechanisms, complicating analysts’ investigations.

WarZoneRAT’s configuration WarZoneRAT’s configuration

WarZoneRAT execution process

By uploading a sample of WarZone RAT to the ANY.RUN sandbox, you can see the complete execution path of this malware, which may vary in different versions of WarZoneRAT.

Once the RAT makes its way into the system and begins execution, it uses cmd to collect information about the network configuration. To evade process-based defenses, it often employs process injection. In our case, Warzone utilizes the process hollowing technique (T1055.012) to inject its malicious code into the legitimate process aspnet_compiler.exe.

After WarZone RAT starts the hijacked process, it begins its malicious activity, such as stealing sensitive information and collecting credentials. In our sample, the malware does not receive a response from the Command & Control (C&C) server and is waiting for further instructions.

WarZoneRAT’s process graph WarZoneRAT’s process graph

Distribution methods of the WarZone RAT malware

Although there are plenty of ways WarZoneRAT can make it to a victim’s computer, the malware has been observed to utilize phishing emails as the primary method of distribution, which is also extensively employed by Vidar. Such emails contain malicious attachments that, when opened, install the malware on the victim's computer. For example, one of the occurrences of this malware was attributed to fake Hungarian government emails, which contained a WarZoneRAT executable in a .zip folder.

Additionally, the malware can be distributed as part of Microsoft 365 files, particularly .doc and .xml ones, injected with malicious code. When users open such files, the payload instantly gets downloaded, infecting their systems. The malware also can be accidentally downloaded by unsuspecting users visiting malicious websites. Similarly, some of the samples of this program were found on cloud storage platforms, disguising themselves as ordinary files.

How to detect WarZone RAT using ANY.RUN?

Unlike ransomware, WarZone RAT malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.

information stolen by ave maria Information is stolen by WarZone RAT

Conclusion

WarZoneRAT is a serious threat to organizations and individuals, and it is vital to be aware of the malware's capabilities and distribution methods to avoid infection. The most effective solution to protecting your infrastructure from this malicious program is to steer clear of downloading attachments and files from senders and sources you do not know or trust.

You can also check any suspicious file or URL in the ANY.RUN sandbox to receive a conclusive verdict on whether it is malicious or not.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy