1. Home
  2. Software
  3. WarzoneRAT

WarzoneRAT

WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[1][2]

ID: S0670
Associated Software: Warzone, Ave Maria
Type: MALWARE
Platforms: Windows
Contributors: Abhijit Mohanta, @abhijit_mohanta, Uptycs; Shilpesh Trivedi, Uptycs
Version: 1.1
Created: 27 December 2021
Last Modified: 03 October 2023

Associated Software Descriptions

Name Description
Ave Maria

[1][2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1014 Rootkit

WarzoneRAT can include a rootkit to hide processes, files, and startup.[1]
Enterprise T1546 .015 事件触发执行: Component Object Model Hijacking

WarzoneRAT can perform COM hijacking by setting the path to itself to the HKCU\Software\Classes\Folder\shell\open\command key with a DelegateExecute parameter.[1]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.[1][2]
Enterprise T1005 从本地系统获取数据

WarzoneRAT can collect data from a compromised host.[1]
Enterprise T1090 代理

WarzoneRAT has the capability to act as a reverse proxy.[1]
Enterprise T1112 修改注册表

WarzoneRAT can create HKCU\Software\Classes\Folder\shell\open\command as a new registry key during privilege escalation.[2][1]

Enterprise T1573 .001 加密通道: Symmetric Cryptography

WarzoneRAT can encrypt its C2 with RC4 with the password warzone160\x00.[1]
Enterprise T1140 反混淆/解码文件或信息

WarzoneRAT can use XOR 0x45 to decrypt obfuscated code.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

WarzoneRAT can add itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK Registry keys.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

WarzoneRAT can use PowerShell to download files and execute commands.[1][2]
.003 命令与脚本解释器: Windows Command Shell

WarzoneRAT can use cmd.exe to execute malicious code.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.[1]
Enterprise T1083 文件和目录发现

WarzoneRAT can enumerate directories on a compromise host.[1]
Enterprise T1106 本机API

WarzoneRAT can use a variety of API calls on a compromised host.[2]
Enterprise T1221 模板注入

WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document.[3]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

WarzoneRAT can use sdclt.exe to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.[1][2]
Enterprise T1204 .002 用户执行: Malicious File

WarzoneRAT has relied on a victim to open a malicious attachment within an email for execution.[1][3]
Enterprise T1082 系统信息发现

WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.[1]
Enterprise T1125 视频捕获

WarzoneRAT can access the webcam on a victim's machine.[1][2]
Enterprise T1105 输入工具传输

WarzoneRAT can download and execute additional files.[1]
Enterprise T1056 .001 输入捕获: Keylogging

WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the GetAsyncKeyState Windows API.[1][2]

Enterprise T1057 进程发现

WarzoneRAT can obtain a list of processes on a compromised host.[1]
Enterprise T1055 进程注入

WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation.[1]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

WarzoneRAT has the ability to control an infected PC using RDP.[1]
.005 远程服务: VNC

WarzoneRAT has the ability of performing remote desktop access via a VNC console.[1]
Enterprise T1041 通过C2信道渗出

WarzoneRAT can send collected victim data to its C2 server.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

WarzoneRAT has been distributed as a malicious attachment within an email.[1][3]
Enterprise T1564 隐藏伪装

WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide its attempts to elevate privileges through IFileOperation.[1]
.003 Hidden Window

WarzoneRAT has the ability of performing remote desktop access via a hVNC window for decreased visibility.[4]
Enterprise T1095 非应用层协议

WarzoneRAT can communicate with its C2 server via TCP over port 5200.[1]

Groups That Use This Software

ID Name References
G1018 TA2541

[5]
G1015 Scattered Spider

Scattered Spider has utilized WarzoneRAT to remotely access a compromised system.[6]
G0142 Confucius

[1][3]

References

  1. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  2. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  3. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
  1. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  2. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  3. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.