S0670 WarzoneRAT
WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.12
| Item | Value |
|---|---|
| ID | S0670 |
| Associated Names | Ave Maria |
| Type | MALWARE |
| Version | 1.0 |
| Created | 27 December 2021 |
| Last Modified | 15 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Ave Maria | 12 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | WarzoneRAT can use sdclt.exe to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.12 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | WarzoneRAT can add itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK Registry keys.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | WarzoneRAT can use PowerShell to download files and execute commands.12 |
| enterprise | T1059.003 | Windows Command Shell | WarzoneRAT can use cmd.exe to execute malicious code.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.12 |
| enterprise | T1005 | Data from Local System | WarzoneRAT can collect data from a compromised host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | WarzoneRAT can use XOR 0x45 to decrypt obfuscated code.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | WarzoneRAT can encrypt its C2 with RC4 with the password warzone160\x00.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.015 | Component Object Model Hijacking | WarzoneRAT can perform COM hijacking by setting the path to itself to the HKCU\Software\Classes\Folder\shell\open\command key with a DelegateExecute parameter.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | WarzoneRAT can send collected victim data to its C2 server.1 |
| enterprise | T1083 | File and Directory Discovery | WarzoneRAT can enumerate directories on a compromise host.1 |
| enterprise | T1564 | Hide Artifacts | WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it’s attempts to elevate privileges through IFileOperation.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.1 |
| enterprise | T1105 | Ingress Tool Transfer | WarzoneRAT can download and execute additional files.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the GetAsyncKeyState Windows API.12 |
| enterprise | T1112 | Modify Registry | WarzoneRAT can create HKCU\Software\Classes\Folder\shell\open\command as a new registry key during privilege escalation.21 |
| enterprise | T1106 | Native API | WarzoneRAT can use a variety of API calls on a compromised host.2 |
| enterprise | T1095 | Non-Application Layer Protocol | WarzoneRAT can communicate with its C2 server via TCP over port 5200.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | WarzoneRAT has been distributed as a malicious attachment within an email.13 |
| enterprise | T1057 | Process Discovery | WarzoneRAT can obtain a list of processes on a compromised host.1 |
| enterprise | T1055 | Process Injection | WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation.1 |
| enterprise | T1090 | Proxy | WarzoneRAT has the capability to act as a reverse proxy.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | WarzoneRAT has the ability to control an infected PC using RDP.1 |
| enterprise | T1021.005 | VNC | WarzoneRAT has the ability of performing remote desktop access via a VNC console.1 |
| enterprise | T1014 | Rootkit | WarzoneRAT can include a rootkit to hide processes, files, and startup.1 |
| enterprise | T1082 | System Information Discovery | WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.1 |
| enterprise | T1221 | Template Injection | WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | WarzoneRAT has relied on a victim to open a malicious attachment within an email for execution.13 |
| enterprise | T1125 | Video Capture | WarzoneRAT can access the webcam on a victim’s machine.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0142 | Confucius | 13 |
References
-
Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022. ↩↩↩↩↩↩↩↩↩
-
Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021. ↩↩↩↩