Malware Analysis Spotlight: Warzone RAT – Automatically Peeling Away the LayersOctober 19, 2020 | Malware Analysis
10/21/2020: The classification of the malware in this Threat Spotlight has been corrected from “Ave_Maria” to “Warzone RAT”. The source of the distinctive “Ave_Maria” substring can be attributed to the open-source TinyNuke malware, which was reused in some Warzone RAT samples. In TinyNuke the string “AVE_MARIA” is transmitted in the initialization phase of the hVNC network connection.
Countless, easily-configurable malware families give rise, unfortunately, to countless malware samples. Fortunately for researchers, these different samples share functionality and the family can be discerned by looking for similarities, patterns, and heuristics contained within the code. It’s easy to figure out the child when you know what the parent looks like.
In this Malware Analysis Spotlight, we highlight the execution of a packed Warzone RAT sample. Warzone RAT is a Remote Access Trojan which was first advertised near the end of 2018 on warzone[.]io. This packed sample version of Warzone RAT was first seen this month according to VirusTotal. It is typically distributed via malicious email campaigns and is capable of credential theft and bypassing User Access Control (UAC).
In this sample, the packer is written in .Net and unpacks Warzone RAT and a UAC bypass. Both parts, packer and Warzone RAT, gains persistence as we see in the following.
Analysis of the Execution Chain
The execution starts with a .NET binary (packer) that carries the actual payload inside its resources. In the beginning, it makes sure to copy itself to a less obvious location the %APPDATA% directory.
The loader creates a temporary file and writes data to it (Figure 2). Task scheduler provides the functionality to define a task and its triggers using an XML file which can then be supplied as a parameter to the
schtasks.exe command-line utility. The malware makes use of this fact and registers a task with a logon trigger using an XML file (Figure 3). This is one of the two methods used for persistence observed during the infection process.
It then creates a new process of itself in a suspended state. The encoded payload is a string that is read into an array, reversed and base64 decoded. The actual Warzone RAT is then unpacked into the newly created process. To be more specific two executables are injected. The first one, the RAT payload, is injected at address 0x400000. Following that, the UAC bypass, which is further described by Checkpoint, is injected at the address 0x54e000 (Figure 4).
After the loader is finished unpacking, the execution is passed to the injected stealer payload by resuming its thread.
VMRay Analyzer is monitoring all injection attempts and provides the possibility to access the injected data. In this case, it’s already the unpacked payload that is being injected which saves time during analysis.
In addition to the achieved persistence with
schtasks.exe, a new value is written to the well-known startup registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Figure 5).
Some malware authors try to target security researchers by directly referencing their names in the binary. This is also the case with Warzone RAT which directly references a well-known researcher in the security community (Figure 6). However, we can use this to our advantage. It’s a good indicator to detect further malicious samples.
After the above-mentioned execution chain, Warzone RAT, which is also equipped with a stealing functionality, starts harvesting the credentials of multiple applications (Figure 7).
As one can see from the above analysis, Warzone RAT can be a challenge to de-obfuscate but the use of VMRay Analyzer eases the pursuit and increases understanding of the sample’s execution chain. Analyzer allows users to extract important runtime information faster without dealing with multiple obfuscation layers or debugging the sample manually.