BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
27
Global rank
49 infographic chevron month
Month rank
41 infographic chevron week
Week rank
392
IOCs

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

Remote Access Trojan
Type
Ex-USSR
Origin
4 December, 2018
First seen
26 February, 2024
Last seen
Also known as
AVE_MARIA
Ave Maria

How to analyze WarZone with ANY.RUN

Remote Access Trojan
Type
Ex-USSR
Origin
4 December, 2018
First seen
26 February, 2024
Last seen

IOCs

Hashes
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0
b7ba884dbc02ac37121203c9f5babc25578148ca9fc0c7e3f1111ae00b910f96
e2c6f4f125601845be66489bb4d348bfd157eb1760ffb7e85a4117c58d0cd018
d44fd80876ce6302ca17811574e3bcb50a7661a5dd68cb11beda88f66063cf86
499a3689072ac9755f9dd46d70c023918647211a16b03da9311abd97036902e6
62de5582c8c8dad5e6ae1e6008e3883c72b59de0b17cec54be78a888d4097dc2
64421ab9070f46618ed715eabad6773d34284c31fb9da36fa4420cab700edfb2
fdc1e685156902bdc98dafa83d13c08c0cd2ec816a5acd3598615f290f5239f0
c81e2db24dbfe22cce1c842f76a8ed3f8657b3f4f3775207001c0022ae0f8248
c2c1f31337e42182661a8f6643a9a055a1b970bc81f2947bc69843049095e236
c764ae8c562868bee836b3e84279900fd6933910f01584ec94428c56fc2bcadd
6823da737689a3717969e3f98c8482e6163fd13debb5a2da6fdc7e013750f2ed
6f25eb573192a3ad0c71d9b64d9cefd9d3231366e8904b5aae8bc8faf59076e5
1c9d339f96c25b3b8d06131a49e09169d42d663a3499eb870f8dee021497b8b5
a6d87b3bf56abc13aacfdcb260cb448d8dfa2c36a3d28a2d3adc441e5a73d6cd
4c3c2596ae1617b31d06d9eed15e3d1c40c25d944e5418896c595dab6ae7f553
675031e66f09b7272a97ee19171d82d6f33e818f2b76164805759ac1177e7f31
de9004ca0ce0c1eba06c36d2fe1e467247f687241741f5eb56a3d00c141c5574
e89071c2cad535d359a460c089f939a68a9faf480f9d1e0ea4134cfc77763748
137ea4fbeec2ecf11e76039af55b54b06f25c03bd3d68112b0fd413578dd93da
Last Seen at

Recent blog posts

post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 283
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 271
comments 0
post image
Understanding Macros in Malware: Types, Capab...
watchers 378
comments 0

What is WarZone RAT malware?

WarZoneRAT is a remote access trojan (RAT) that has been distributed via the malware-as-a-service (MaaS) model since 2018 on both Clearnet and Darknet.

The range of capabilities of the malware includes information stealing, infected systems manipulation, and initiation of targeted attacks against organizations. Easy accessibility, frequent updates, and the ever-expanding set of features make WarZone RAT one of the most prevalent RATs in the global threat landscape.

When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control. According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

WarZoneRAT uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of WarZoneRAT

WarZoneRAT operates by infiltrating a target's computer through a range of techniques, such as phishing emails. Once installed, it establishes an encrypted link with its command and control (C2) server, allowing the attacker to manage the compromised computer from a remote location.

The malware is equipped with a broad selection of features, some of which include:

  • Hidden remote access: Attackers can gain full control of the victim's machine to manipulate it and steal data, while staying completely invisible.
  • Password recovery: The malware is capable of extracting passwords from popular browsers and email clients.
  • File management: Malicious actors can interact with the infected computer’s file management system by uploading and downloading files, especially different kinds of payload, as well as executing them.
  • Offline keylogging: WarZoneRAT can record keystrokes, making it easy for hackers to discover sensitive information entered by the victim, including passwords and credit card numbers.
  • Screen capturing: The program can be configured to monitor desktop activity and take screenshots.
  • Updates: It can receive updates from its C2, thus evolving and utilizing new tools to circumvent security infrastructure.

One noteworthy aspect of WarZone RAT is its use of C++. While many RATs are built with .NET Framework (e.g., njRAT), which limits their operation to MS Windows, WarZoneRAT can function on any system with a C++ compiler.

The malware also implements obfuscation and evasion techniques to make detection a challenge. For instance, WarZone RAT can bypass User Account Control (UAC) to escalate privileges, installing itself on the victim's system. It also leverages process hollowing, which involves executing malicious binary as part of a legitimate process. Additionally, it makes use of anti-debugging mechanisms, complicating analysts’ investigations.

WarZoneRAT’s configuration WarZoneRAT’s configuration

WarZoneRAT execution process

By uploading a sample of WarZone RAT to the ANY.RUN sandbox, you can see the complete execution path of this malware, which may vary in different versions of WarZoneRAT.

Once the RAT makes its way into the system and begins execution, it uses cmd to collect information about the network configuration. To evade process-based defenses, it often employs process injection. In our case, Warzone utilizes the process hollowing technique (T1055.012) to inject its malicious code into the legitimate process aspnet_compiler.exe.

After WarZone RAT starts the hijacked process, it begins its malicious activity, such as stealing sensitive information and collecting credentials. In our sample, the malware does not receive a response from the Command & Control (C&C) server and is waiting for further instructions.

WarZoneRAT’s process graph WarZoneRAT’s process graph

Distribution methods of the WarZone RAT malware

Although there are plenty of ways WarZoneRAT can make it to a victim’s computer, the malware has been observed to utilize phishing emails as the primary method of distribution, which is also extensively employed by Vidar. Such emails contain malicious attachments that, when opened, install the malware on the victim's computer. For example, one of the occurrences of this malware was attributed to fake Hungarian government emails, which contained a WarZoneRAT executable in a .zip folder.

Additionally, the malware can be distributed as part of Microsoft 365 files, particularly .doc and .xml ones, injected with malicious code. When users open such files, the payload instantly gets downloaded, infecting their systems. The malware also can be accidentally downloaded by unsuspecting users visiting malicious websites. Similarly, some of the samples of this program were found on cloud storage platforms, disguising themselves as ordinary files.

How to detect WarZone RAT using ANY.RUN?

Unlike ransomware, WarZone RAT malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.

information stolen by ave maria Information is stolen by WarZone RAT

Conclusion

WarZoneRAT is a serious threat to organizations and individuals, and it is vital to be aware of the malware's capabilities and distribution methods to avoid infection. The most effective solution to protecting your infrastructure from this malicious program is to steer clear of downloading attachments and files from senders and sources you do not know or trust.

You can also check any suspicious file or URL in the ANY.RUN sandbox to receive a conclusive verdict on whether it is malicious or not.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy