Skip to content

S0670 WarzoneRAT

WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.12

Item Value
ID S0670
Associated Names Ave Maria
Version 1.0
Created 27 December 2021
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Ave Maria 12

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control WarzoneRAT can use sdclt.exe to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder WarzoneRAT can add itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK Registry keys.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell WarzoneRAT can use PowerShell to download files and execute commands.12
enterprise T1059.003 Windows Command Shell WarzoneRAT can use cmd.exe to execute malicious code.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.12
enterprise T1005 Data from Local System WarzoneRAT can collect data from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information WarzoneRAT can use XOR 0x45 to decrypt obfuscated code.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography WarzoneRAT can encrypt its C2 with RC4 with the password warzone160\x00.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking WarzoneRAT can perform COM hijacking by setting the path to itself to the HKCU\Software\Classes\Folder\shell\open\command key with a DelegateExecute parameter.1
enterprise T1041 Exfiltration Over C2 Channel WarzoneRAT can send collected victim data to its C2 server.1
enterprise T1083 File and Directory Discovery WarzoneRAT can enumerate directories on a compromise host.1
enterprise T1564 Hide Artifacts WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it’s attempts to elevate privileges through IFileOperation.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.1
enterprise T1105 Ingress Tool Transfer WarzoneRAT can download and execute additional files.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the GetAsyncKeyState Windows API.12
enterprise T1112 Modify Registry WarzoneRAT can create HKCU\Software\Classes\Folder\shell\open\command as a new registry key during privilege escalation.21
enterprise T1106 Native API WarzoneRAT can use a variety of API calls on a compromised host.2
enterprise T1095 Non-Application Layer Protocol WarzoneRAT can communicate with its C2 server via TCP over port 5200.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment WarzoneRAT has been distributed as a malicious attachment within an email.13
enterprise T1057 Process Discovery WarzoneRAT can obtain a list of processes on a compromised host.1
enterprise T1055 Process Injection WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation.1
enterprise T1090 Proxy WarzoneRAT has the capability to act as a reverse proxy.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol WarzoneRAT has the ability to control an infected PC using RDP.1
enterprise T1021.005 VNC WarzoneRAT has the ability of performing remote desktop access via a VNC console.1
enterprise T1014 Rootkit WarzoneRAT can include a rootkit to hide processes, files, and startup.1
enterprise T1082 System Information Discovery WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.1
enterprise T1221 Template Injection WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File WarzoneRAT has relied on a victim to open a malicious attachment within an email for execution.13
enterprise T1125 Video Capture WarzoneRAT can access the webcam on a victim’s machine.12

Groups That Use This Software

ID Name References
G0142 Confucius 13