Warzone RAT Infrastructure Seized

On February 9, 2024, the Justice Department announced the seizure of internet domains selling the Warzone RAT malware, a sophisticated Remote Access Trojan. Domains including www[.]warzone[.]ws were seized, with two suspects arrested in Malta and Nigeria for selling the malware. The operation, led by the FBI and supported by Europol and J-CAT, aimed to disrupt cybercriminals using the malware.

Masquerading as a legitimate commercial IT administration tool maintained by an entity named Solmyr, Warzone RAT offers affordable monthly plans starting at $37.95, with options for 1-month, 3-month, and 12-month licenses, including a "Poison" version with a rootkit installation module. The optional Dynamic Domain Name System (DDNS) service is utilized to conceal command-and-control (C2) server locations in cyberattacks.

Analyst Comments:
Warzone RAT's cracked versions are available on darknet forums, and instructional videos on YouTube facilitate basic deployment and C2 administration. Notable campaigns involving Warzone RAT include targeting government employees and military personnel of India's National Informatics Centre (NIC) and its use by the Confucius APT group against mainland Chinese government entities and South Asian countries. Additionally, Warzone RAT was employed in a sophisticated phishing campaign spoofing official government communications to distribute malware in Hungary.

Suggested Corrections:
Warzone has been distributed in a virtually endless number of initial infection vectors but is officially sold in two distinct first-stage configurations; as an embedded Microsoft Office macro dropper or packed as a compressed and encrypted dropper payload designed to bypass anti-virus detection. However, outside of its official modes, Warzone is deployed via both malspam and targeted phishing campaigns that leverage:

  • Hacked WordPress websites and popular file hosting services such as archive[.]org and discord[.]com to host the payload
  • Self-extracting archives (SFX) formatted as .rar and .zip files, and .iso with fake file icons designed to look like popular software applications
  • Microsoft Office macros using a VBA-stomping technique that compiles the embedded macro script into P-code to avoid detection by antivirus products
  • A .net loader written in C# that uses RunPE.dll to hijack, hollow, and inject Warzone into the InstallUtil.exe process
  • Using the Windows scripting language AutoIt to deliver the Warzone payload
  • Known vulnerabilities such as CVE-2017-11882 and CVE-2018-0802

Warzone gains persistence on the target host by creating a Windows registry key—usually named HKLM\SOFTWARE Wow6432Node\Microsoft Windows\CurrentVersion\Run—and setting its value to the location of Warzone’s executable binary. Finally, Warzone can exploit privilege escalation using an older DLL hijacking technique for UAC bypass.