25
Global rank
24
Month rank
27
Week rank
402
IOCs

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

Remote Access Trojan
Type
Ex-USSR
Origin
4 December, 2018
First seen
22 September, 2023
Last seen
Also known as
AVE_MARIA
Ave Maria

How to analyze WarZone with ANY.RUN

Remote Access Trojan
Type
Ex-USSR
Origin
4 December, 2018
First seen
22 September, 2023
Last seen

IOCs

Hashes
d752d7ddde2d36f260f1bbbac44db09b32a307a01e8c312e4f8d92e90913ef5c
414c47132ef2e34f5ba9cf5bc4575a991477626ed9819f30c60f99cbc78eb50d
73fc341bbc5be844d20c51d8ee5356b9d44a628d0aef4e95df08b057ea6cadba
c7a6dc10078ce009b00a38a12df8b0d1d770ac3902d3ed4b203101be2cd2b6f2
9675c26063960c74114460aa260684a0de5474930ab239b44afe8fba6ad4e012
12bb5d9a545859825d7927e029992ec7d4c2aa7dab20749c500096564a43084c
b320fa114a23a5a628f5e3bda3a287fe38a925c24141f6acbb3737ebd8ddfcf7
8f3e609007588fd586e007b24b61283ddb87946651ed2e51f3234dd4abbad321
1a4027f6dcfe2292f89355090ae677b49e5bfe5683ace9aea60e2765711cff87
b222eba2cd4a7a37d8b38083130df60200958d6cd0175c8e827e30a6b434c452
39f03899b31f7ee67930ca7c8e170cf3a0c2ce355d34dd6d6d1efe3ef6409278
bf64c1524a374361c824cb3054b1c5179922b089872ad817c4666f700332084b
e1f1f72698aa8762305e8d324a04608fda13f7a416f2a5a7fcbad843cff138cc
c61524663e1b92b54d87b99787169a6e0f9fa1aeacfeaf4fadea700ce70907ea
85d1a2ce53141928c4e2fc90a0c58a93d2ef6e605b1b5c5bf89cf3ea359417af
a27087a5e852d409af70e117cfe6beab449556581876daca7ed6169e27e8ddea
2f9ec3d178213d5f97668cc78eca26bdad67afd933ad441db0718fa629a6bbfe
4d69d33f1488ca900dac7d704c5eee62828570fe41b1a209e9ec847bcab2a66d
c96f6de4762d4003bab4ac6f3d82c4795487ee02ba51bd471fb3d90bf216ac46
eccd6441ab4044ebc6140515cb0fa40c058e462f0aec11a363795e635f8e6d66
Last Seen at

Recent blog posts

Malware Analysis for Keeping Up with the Late...
watchers 465
comments 0
ChatGPT-powered Malware Analysis: Review Sand...
watchers 2476
comments 2
How to Hire the Right Malware Analyst for You...
watchers 663
comments 0

What is WarZone RAT malware?

WarZoneRAT is a remote access trojan (RAT) that has been distributed via the malware-as-a-service (MaaS) model since 2018 on both Clearnet and Darknet.

The range of capabilities of the malware includes information stealing, infected systems manipulation, and initiation of targeted attacks against organizations. Easy accessibility, frequent updates, and the ever-expanding set of features make WarZone RAT one of the most prevalent RATs in the global threat landscape.

When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control. According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

WarZoneRAT uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of WarZoneRAT

WarZoneRAT operates by infiltrating a target's computer through a range of techniques, such as phishing emails. Once installed, it establishes an encrypted link with its command and control (C2) server, allowing the attacker to manage the compromised computer from a remote location.

The malware is equipped with a broad selection of features, some of which include:

  • Hidden remote access: Attackers can gain full control of the victim's machine to manipulate it and steal data, while staying completely invisible.
  • Password recovery: The malware is capable of extracting passwords from popular browsers and email clients.
  • File management: Malicious actors can interact with the infected computer’s file management system by uploading and downloading files, especially different kinds of payload, as well as executing them.
  • Offline keylogging: WarZoneRAT can record keystrokes, making it easy for hackers to discover sensitive information entered by the victim, including passwords and credit card numbers.
  • Screen capturing: The program can be configured to monitor desktop activity and take screenshots.
  • Updates: It can receive updates from its C2, thus evolving and utilizing new tools to circumvent security infrastructure.

One noteworthy aspect of WarZone RAT is its use of C++. While many RATs are built with .NET Framework (e.g., njRAT), which limits their operation to MS Windows, WarZoneRAT can function on any system with a C++ compiler.

The malware also implements obfuscation and evasion techniques to make detection a challenge. For instance, WarZone RAT can bypass User Account Control (UAC) to escalate privileges, installing itself on the victim's system. It also leverages process hollowing, which involves executing malicious binary as part of a legitimate process. Additionally, it makes use of anti-debugging mechanisms, complicating analysts’ investigations.

WarZoneRAT’s configuration WarZoneRAT’s configuration

WarZoneRAT execution process

By uploading a sample of WarZone RAT to the ANY.RUN sandbox, you can see the complete execution path of this malware, which may vary in different versions of WarZoneRAT.

Once the RAT makes its way into the system and begins execution, it uses cmd to collect information about the network configuration. To evade process-based defenses, it often employs process injection. In our case, Warzone utilizes the process hollowing technique (T1055.012) to inject its malicious code into the legitimate process aspnet_compiler.exe.

After WarZone RAT starts the hijacked process, it begins its malicious activity, such as stealing sensitive information and collecting credentials. In our sample, the malware does not receive a response from the Command & Control (C&C) server and is waiting for further instructions.

WarZoneRAT’s process graph WarZoneRAT’s process graph

Distribution methods of the WarZone RAT malware

Although there are plenty of ways WarZoneRAT can make it to a victim’s computer, the malware has been observed to utilize phishing emails as the primary method of distribution, which is also extensively employed by Vidar. Such emails contain malicious attachments that, when opened, install the malware on the victim's computer. For example, one of the occurrences of this malware was attributed to fake Hungarian government emails, which contained a WarZoneRAT executable in a .zip folder.

Additionally, the malware can be distributed as part of Microsoft 365 files, particularly .doc and .xml ones, injected with malicious code. When users open such files, the payload instantly gets downloaded, infecting their systems. The malware also can be accidentally downloaded by unsuspecting users visiting malicious websites. Similarly, some of the samples of this program were found on cloud storage platforms, disguising themselves as ordinary files.

How to detect WarZone RAT using ANY.RUN?

Unlike ransomware, WarZone RAT malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.

information stolen by ave maria Information is stolen by WarZone RAT

Conclusion

WarZoneRAT is a serious threat to organizations and individuals, and it is vital to be aware of the malware's capabilities and distribution methods to avoid infection. The most effective solution to protecting your infrastructure from this malicious program is to steer clear of downloading attachments and files from senders and sources you do not know or trust.

You can also check any suspicious file or URL in the ANY.RUN sandbox to receive a conclusive verdict on whether it is malicious or not.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy