Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
40
Global rank
81 infographic chevron month
Month rank
70 infographic chevron week
Week rank
0
IOCs

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

RAT
Type
Ex-USSR
Origin
4 December, 2018
First seen
19 December, 2024
Last seen
Also known as
AVE_MARIA
Ave Maria

How to analyze WarZone with ANY.RUN

RAT
Type
Ex-USSR
Origin
4 December, 2018
First seen
19 December, 2024
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Well done, ANY.RUN: Our Top Cybersecurity Awa...
watchers 211
comments 0
post image
How DFIR Analysts Use ANY.RUN Sandbox
watchers 303
comments 0
post image
How to Set up a Windows 11 Malware Sandbox
watchers 1110
comments 0

What is WarZone RAT malware?

WarZoneRAT is a remote access trojan (RAT) that has been distributed via the malware-as-a-service (MaaS) model since 2018 on both Clearnet and Darknet.

The range of capabilities of the malware includes information stealing, infected systems manipulation, and initiation of targeted attacks against organizations. Easy accessibility, frequent updates, and the ever-expanding set of features make WarZone RAT one of the most prevalent RATs in the global threat landscape.

When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control. According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

WarZoneRAT uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of WarZoneRAT

WarZoneRAT operates by infiltrating a target's computer through a range of techniques, such as phishing emails. Once installed, it establishes an encrypted link with its command and control (C2) server, allowing the attacker to manage the compromised computer from a remote location.

The malware is equipped with a broad selection of features, some of which include:

  • Hidden remote access: Attackers can gain full control of the victim's machine to manipulate it and steal data, while staying completely invisible.
  • Password recovery: The malware is capable of extracting passwords from popular browsers and email clients.
  • File management: Malicious actors can interact with the infected computer’s file management system by uploading and downloading files, especially different kinds of payload, as well as executing them.
  • Offline keylogging: WarZoneRAT can record keystrokes, making it easy for hackers to discover sensitive information entered by the victim, including passwords and credit card numbers.
  • Screen capturing: The program can be configured to monitor desktop activity and take screenshots.
  • Updates: It can receive updates from its C2, thus evolving and utilizing new tools to circumvent security infrastructure.

One noteworthy aspect of WarZone RAT is its use of C++. While many RATs are built with .NET Framework (e.g., njRAT), which limits their operation to MS Windows, WarZoneRAT can function on any system with a C++ compiler.

The malware also implements obfuscation and evasion techniques to make detection a challenge. For instance, WarZone RAT can bypass User Account Control (UAC) to escalate privileges, installing itself on the victim's system. It also leverages process hollowing, which involves executing malicious binary as part of a legitimate process. Additionally, it makes use of anti-debugging mechanisms, complicating analysts’ investigations.

WarZoneRAT’s configuration WarZoneRAT’s configuration

WarZoneRAT execution process

By uploading a sample of WarZone RAT to the ANY.RUN sandbox, you can see the complete execution path of this malware, which may vary in different versions of WarZoneRAT.

Once the RAT makes its way into the system and begins execution, it uses cmd to collect information about the network configuration. To evade process-based defenses, it often employs process injection. In our case, Warzone utilizes the process hollowing technique (T1055.012) to inject its malicious code into the legitimate process aspnet_compiler.exe.

After WarZone RAT starts the hijacked process, it begins its malicious activity, such as stealing sensitive information and collecting credentials. In our sample, the malware does not receive a response from the Command & Control (C&C) server and is waiting for further instructions.

WarZoneRAT’s process graph WarZoneRAT’s process graph

Distribution methods of the WarZone RAT malware

Although there are plenty of ways WarZoneRAT can make it to a victim’s computer, the malware has been observed to utilize phishing emails as the primary method of distribution, which is also extensively employed by Vidar. Such emails contain malicious attachments that, when opened, install the malware on the victim's computer. For example, one of the occurrences of this malware was attributed to fake Hungarian government emails, which contained a WarZoneRAT executable in a .zip folder.

Additionally, the malware can be distributed as part of Microsoft 365 files, particularly .doc and .xml ones, injected with malicious code. When users open such files, the payload instantly gets downloaded, infecting their systems. The malware also can be accidentally downloaded by unsuspecting users visiting malicious websites. Similarly, some of the samples of this program were found on cloud storage platforms, disguising themselves as ordinary files.

How to detect WarZone RAT using ANY.RUN?

Unlike ransomware, WarZone RAT malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.

information stolen by ave maria Information is stolen by WarZone RAT

Conclusion

WarZoneRAT is a serious threat to organizations and individuals, and it is vital to be aware of the malware's capabilities and distribution methods to avoid infection. The most effective solution to protecting your infrastructure from this malicious program is to steer clear of downloading attachments and files from senders and sources you do not know or trust.

You can also check any suspicious file or URL in the ANY.RUN sandbox to receive a conclusive verdict on whether it is malicious or not.

HAVE A LOOK AT

Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More