Technical analysis of WarZoneRAT malware

بسم الله الرحمن الرحيم

FreePalestine

Introduction

We will start analyzing Ave Maria known as WARZONE RAT. Ave Maria is a Remote Access Trojan (RAT) which provides some capabilities, such as stealing Cookies stealing passwords, Keylogging (online and offline), Windows Defender Bypass, and Remote WebCam.

We can take a look at what this threat actor provides to its customers from its site warzone[.]ws.

Figure Screenshot of the RAT capabilities from warzone[.]ws

Figure Screenshot of the RAT capabilities from warzone[.]ws

And special thanks for Abdallah Elshinbary for his continuous help and support.

Technical summary

When the attaker wants to start a command, it will send to the RAT a hex number. Every hex number has a specific action to be done.

• Password and Cookies Recovery: When it comes to RATs, then it has something with browsers and Email clients. The malware will harvist the cookies, passwords, history, and configurations of browsers. And steal passords and configruations of Email clients.

• Keylogging: Any RAT has the capability to log any keystrokes, but Warzone RAT has the two types of Keylogging which are the live keylogger and the offline keylogger.

• Recording audio: The RAT has the capability to record audio and save it to .wav file and send it to the C2 server.

• HRDP: This allows the attacter to connect and control the victim’s device without knowing or alerting the victim using Hidden RDP.

• Enumerate processes, disks, and files: The malware can enumerate the currently running processes, disks and their types, and files inside a specific directory.

• File Manager: The RAT gives its customers the ability to download and upload files from the victim’s computer, execute a file, and delete files. And compress any directory or folder inside the victim’s computer using a command and send it to the C2 server.

• Other features: The malware can terminate any process the attacker wants, uninstall itself by terminating its thread and delete itself from registries, restart the device using commands and create a process to check connectivity, and take screen shots from the victim’s device.

Password and Cookies Recovery

Once the attacker sends the command to the RAT which will be 0x20 in hex, the malware will create a thread to start Password Recovery action. The RAT will start stealing the saved passwords, configurations, cookies, and history from browsers and extract profiles and passwords from some email services. Then encrypt the data and send it to the C2 server then terminate the thread.

First, the malware will steal the Cookies from Chromium-based browsers such as Google chrome and Microsoft edge by quering select host_key, path, name, encrypted_value, expires_utc, is_httponly, samesite, is_secure from cookies from the cookies table in Cookies database and steal Cookies from Mozilla firefox browser by quering SELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies from the moz_cookies table.
The w_query_get_chrome_based_cookies (sub_40C5FA) function uses SHGetSpecialFolderPathW to get the AppData path, than append the the cookies path \Google\Chrome\User Data\Default\Network\Cookies to Appdata path C:\Users\user\AppData\Local\.It will be like this C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

The malware uses the same way to get the all sensitive databases that contain sensitive data such as Login Data, History of browsers.

Figure Steal Cookies from browsers - sub_40DC9D

Next, the malware will go after the History of the user’s browsers the same as stealing the cookies. For Chromium-based, quering SELECT url, title, visit_count, last_visit_time FROM urls and Mozzilla quering SELECT url, title, visit_count, last_visit_date FROM moz_places.

Figure Steal History from browsers - sub_40DC9D

In the next figure, the malware will steal the passwords and configurations of specific browsers. By quering select signon_realm, origin_url, username_value, password_value from logins from logins table of Login Data db.

Figure Steal password and configurations from browsers - sub_40DC9D

For Email serivices, the malware will go after outlook (sub_4104A0), Foxmail (sub_410981), Thunderbird (sub_40FA23) Email clients.
As we can see in the next figure, the malware will steal the configurations and login data from Thunderbird email client.

Figure Steal Configurations from Thunderbird - sub_40FA23

After stealing the sensitive data from browsers and Email clients, the malware will encrypt the stolen data using customized RC4 encryption algorithm then send it to the C2 server. The malware uses nevergonnagiveyouup as encryption key to customized RC4 algorithm. After encryption, the malware will send it using sockets.

Figure Customized RC4 encryption algorithm - sub_406244

The list of targeted browsers

Expand to see more

 Mozilla Firefox
 Google Chrome
 Epic Privacy Browser
 Microsoft Edge

 UCBrowser
 QQBrowser
 Opera Software
 Blisk
 Chromium
 Brave-Browser
 Vivaldi
 Comodo
 Torch
 Slimjet
 CentBrowser
 Internet Explorer

The list of the targeted Email clients:

• Outlook

• Thunderbird

• Foxmail

Keylogging

The RAT has the two types of keylogging which are the live keylogger and the offline keylogger. The offline keylogger is run when the victim is offline.
When the attaker sends the command 0x24 in hex, the RAT will start a thread of Live keylogger function.

Figure Live and offline keylogging - sub_40A78D

The malware will create a directory Microsoft Vision in the AppData directory then create a file with a timestamp-based name. The malware will try to get the Keyboard input messages such as WM_KEYDOWN or WM_KEYUP which are generated by the OS when the victim interacts with the keyboard by using GetMessageA API.

Figure How keylogging is working - sub_40A86E

Inside the w_mw_get_clipboard_data_keyboard_in (sub_40ADCA) function, we will know that the malware will try to grab the clipboard data inside the mw_get_clipboard_data (sub_4174BA). Then encrypte the data and send to the C2 server if it’s the live keylogger or write the grabbed data to a file then encrypted it and send to the C2 server if it’s offline keylogger.

Figure clipboard grabber - sub_40ADCA

Figure How malware grab clipboard data - sub_4174BA

After grabbing the clipboard data, the malware will start keylogging by getting the windows name and check the keyboad input state using w_GetKeyboardState (sub_40AAFD) function and check if is Shift or Caps Lock pushed. And if Shift or Caps Lock were pushed, the w_ToLowerCase (sub_401098) function will convert the uppercase to lowercase.
Then encrypte the logs and send to the C2 server if it’s the live keylogger or write the grabbed logs to a file then encrypted it and send to the C2 server if it’s offline keylogger.
The logs are #Window Name: , is Shift or Caps Lock pushed, keystrokes.

Figure The RAT keylogging the victim - sub_40ADCA

When the malware receives the command 0x26 in hex, the malware terminate the thread which runs the keylogging function.

Figure Terminate the thread which runs the keylogging function - sub_40528D

Recording Audio

The RAT has two functions for recording audio mw_record_audio (sub_40B46F) and mw_record_audio_0 (sub_040BB1C). The command is 0x54 in hex to start one function in a thread.

Figure Two recording function - sub_40528D

Inside The first function mw_record_audio (sub_40B46F), we see that waveInOpen API Opens the audio input device for recording with the configuration parameters from the pwfx structure. And save the record in a time-based .wav file. And even it can prepare for a new recording audio. This function only records audio and save the .wav file.

Figure mw_record_audio function - sub_40B46F

And inside the second function mw_record_audio_0 (sub_040BB1C), it does what this mw_record_audio function is doing. But after recording audio and save the .wav file, it encrypt and send it to the C2 server before starting a new record.

Figure Sending the audio file to the C2 server - sub_040BB1C

waveInUnprepareHeader function is called after the audio was recorded and captured in the buffer which is a cleanup process.
To terminate recording audio, the RAT get the command 0x5A in hex.

HRDP

The RAT provides a remote access to victim’s device using Hidden RDP (HRDP) to remotely connect to and control the device without knowing or alerting the victim.
The malware first get value of ServiceDll registry inside the SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters which will be the path %SystemRoot%\System32\termsrv.dll to termsrv.dll.
termsrv.dll is The DLL which handles the functionality and settings of the Remote Desktop Protocol (RDP).

FigureGet the path to termsrv.dll - sub_412446

After that, the malware will add a new user account special properties or behaviors such as hiding the user account from login screen.
First, the malware will create this key SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList and set the value of UserList registry to 0 to hide the user account from login screen. inside the mw_add_user_account (sub_41313D), it adds a new user account using NetUserAdd API and adds the user to a local group using NetLocalGroupAddMembers API.

Figure Hide the user acount from login screen - sub_411BC1

Then the malware will create a thread to start start_RDP (sub_412003). This function open a registry key SYSTEM\\CurrentControlSet\\Services\\TermService to get the entry value of ImagePath which is %SystemRoot%\System32\svchost.exe -k NetworkService and get svchost.exe -k NetworkService which is used to run an instance of svchost.exe under the context of the NetworkService. And get the entry value of ServiceDll which is %SystemRoot%\System32\termsrv.dll.

This is because The malware will invoke an instance of svchost.exe using svchost.exe -k NetworkService command and load the termsrv.dll DLL file into svchost.exe.

Figure Load termsrv.dll into svchost.exe - sub_41263D

Inside sub_412B16 function, the malware continues changing the registry values to enable RDP.

• Change the registry fDenyTSConnections inside SYSTEM\\CurrentControlSet\\Control\\Terminal Server and set to its value to false (0) to enable RDP connetions.

• Change the registry EnableConcurrentSessions inside SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core and set to its value to false (0) to prevent opening two sessions at the same time.

• Change the registry AllowMultipleTSSessions inside SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon and set to its value to false (0) to prevent opening two sessions at the same time.

• Change the registry Name value to RDPClip and change Type registry its value to 3 inside SYSTEM\\CurrentControlSet\\ControlTerminal Server\\AddIns\\Clip Redirector to enable copy and paste from attacker device to victim device.

Figure Change some registry keys - sub_412B16

After the malware changed the settings needed, it uses RDP_check which connect to 127.0.0.1:3389 to check if the it’s working and send the return to the C2 server.

Figure RDP check - sub_412510

Enumerate processes, disks, and files

The RAT has the ability to get more information about victim’s device by enumerating processes, disks, and files of the victim’s device. And send a spicific file to the C2 server.

Figure Enumerate processes, disks, and files - sub_40528D

The malware has the ability to enumerate currently running processes using CreateToolhelp32Snapshot API and get the full path of the associated executable file using K32GetModuleFileNameExW API. The command is 2.

Figure Get running processes and path of the associated executable file - sub_415C5D

When the malware get the command 4, it starts enumerating logical disks of the victim’s device using GetLogicalDriveStringsW API and gets its type if it’s removable, disk, or network drive by using GetDriveTypeW API.

Figure Get list of logical disks and its type - sub_414E4E

The RAT can enumerate files inside a directory and collect info about each file then collect these info to be sent to the C2 server.

Figure Enumerate files inside a directory - sub_414F8B

File Manager

The RAT gives its customers the ability to download and upload files from the victim’s computer, execute a file, and delete files. And even will try to compress any directory or folder inside the victim’s computer using a command and send it to the C2 server.

The malware has the ability to send a file to the attacker. Inside the mw_send_file_to_c2 function, the malware will create a thread to send a file to the C2 server.

Figure send a file to the attacker - sub_40929F

And download files from the attacker side to the victim’s machine and execute it.

Figure How the RAT Download and Execute a file - sub_40205E

And execute any dropped files on the victim’s computer. The dropped file will be in the temp directory.

Figure Find path of dropped file and execute it - sub_40205E

And execute any specific file on the victim’s computer.

Figure execute a file - sub_40528D

The malware will try to compress one directory or more than one directory using powershell to a .zip file while hiding the PowerShell window using the command powershell.exe -windowstyle hidden -Command "Compress-Archive -Path 'C:\Path\To\Your\Directory' -DestinationPath 'C:\Path\To\Your\Archive.zip'"

Figure Compress directories - sub_41731E

Other features

Terminate a process

The malware will get the currently running processes, and terminate any process the attacker wants.

Figure Terminate any process - sub_401BA7

Uninstall the RAT

The malware has the ability to uninstall itself by terminating its thread and delete itself from registries.

Figure Terminate its thread and delete reg - sub_4166D0

Restart the system and check connectivity

The RAT can restart the device using commands and create a process to check connectivity.
there is two methods to restart the device:

1. using command shutdown.exe /r /t 00 to restart the computer or force the restart using shutdown.exe /r /f /t 00 command while hiding the execution window using WinExec function.

2. The malware will attempt to elevate privileges to perform a hard system shutdown. It first loads ntdll.dll, retrieves the function pointers for RtlAdjustPrivilege and NtRaiseHardError, adjusts the privilege level, and then raises a hard system error with the status code STATUS_FLOAT_MULTIPLE_FAULTS.

Figure Restart the system - sub_4022D8

Take screenshot

The malware can start a thread and run the function to take screen shots. The malware checks for recent user activity using GetLastInputInfo compares to 30 minutes. If there was recent activity, it captures the foreground window’s content as a screenshot and saves it as a JPEG file with a time-based name.

Figure Taking screen shots - sub_413896

Configuration extractor

The malware encrypt its configuration with customized RC4 algorithm. The malware stores the configuration in the .bss section and the The format of the configuration is: [Key length][RC4 key][Encrypted data]. So we used m4n0w4r’s to decrypt the configuration.
You can see the code in the jupyter notebook in my github from here

# Refs: https://stackoverflow.com/questions/9433541/movsx-in-python

def SIGNEXT(x, b):
    m = (1 << (b -1))
    x = x & ((1 << b) -1)
    return ((x ^ m) - m)
 
# This routine is responsible for decrypting the stored C2.
def rc4_customized_decryptor(data, key):
    idx = 0
    counter1 = 0
    counter2 = 0
     
    # Initialize RC4 S-box
    rc4Sbox = list(range(256))
     
    # Modify RC4 S-box
    for i in range(256):
        counter2 += (rc4Sbox[i] + key[i%250])
        counter2 = counter2 & 0x000000FF
        rc4Sbox[i] ^= rc4Sbox[counter2]
        rc4Sbox[counter2 & 0xFF] ^= rc4Sbox[counter1 & 0xFF]
        rc4Sbox[counter1 & 0xFF] ^= rc4Sbox[counter2 & 0xFF]
        counter1 = i+1       
     
    # Decrypt data
    counter1 = 0
    counter2 = 0
    j = 0
    decrypted = []
    while(idx < len(data)):
        counter1 = j + 1
        k = (j+1)
        rc4Sbox_value1 = rc4Sbox[k]
        counter2 += (SIGNEXT(rc4Sbox_value1, 8) & 0xFFFFFFFF)
        rc4Sbox_value1_ = (SIGNEXT(rc4Sbox_value1, 8) & 0xFFFFFFFF)
        rc4Sbox_value2 = rc4Sbox[counter2 & 0x000000FF]
        rc4Sbox[k] = rc4Sbox_value2
        rc4Sbox[(counter2 & 0x000000FF)] = rc4Sbox_value1
        tmp1 = rc4Sbox[((0x20 * counter1) ^ (counter2 >> 3)) & 0x000000FF]
        tmp2 = rc4Sbox[((0x20 * counter2) ^ (counter1 >> 3)) & 0x000000FF]
        tmp3 = rc4Sbox[((tmp1 + tmp2) & 0x000000FF) ^ 0xAA]
        tmp4 = rc4Sbox[(rc4Sbox_value2 + rc4Sbox_value1_) & 0x000000FF]
        tmp5 = (tmp3 + tmp4) & 0x000000FF
        tmp6 = rc4Sbox[(counter2 + rc4Sbox_value2) & 0x000000FF]
        decrypted.append(data[idx] ^ (tmp5 ^ tmp6))
         
        counter1 += 1
        j = counter1
        idx += 1
     
    return bytes(decrypted)

# def unicode_strings(buf, n=4):

# This function makes problems when i upload it in github. So you need to got from OALABS

# Get unicode_strings function from https://research.openanalysis.net/warzone/malware/config/2021/05/31/warzone_rat_config.html


import pefile
import struct

# Load the PE file using pefile
pe = pefile.PE(r"") # Put your file path

# Initialize variable to store .bss section data
bss_section_data = None

# Iterate through sections to find the .bss section
for section in pe.sections:
    section_name = section.Name
    if section_name.startswith(b'.bss'):
        bss_section_data = section.get_data()

# Extract the key size and key from the .bss section
key_size = struct.unpack('<I', bss_section_data[:4])[0]
key = bss_section_data[4:4 + key_size]

# because the key is 250 bytes. We extracted 50 bytes from bss section and fill the rest with zeros
key = key + b'\x00' * (250 - len(key))

# Extract encrypted data from the .bss section
enc_data = bss_section_data[4 + key_size:]
enc_data = enc_data.split(b'\x00\x00\x00\x00\x00\x00\x00\x00')[0]

# Decrypt the encrypted data using a custom RC4 decryptor
dec_data = rc4_customized_decryptor(enc_data, key)

# Extract C2 host length and host string
host_len = struct.unpack('<I', dec_data[:4])[0]
host_wide = dec_data[4:host_len+4]
c2_host = unicode_strings(host_wide)[0]

# Extract C2 port
c2_port = struct.unpack('<H', dec_data[host_len+4:host_len+4+2])[0]

# Print the extracted C2 host and port
print("C2 host: %s, port: %d" % (c2_host, c2_port))

The C2 host is 89.117.76.41 and the port is 4422.

Yara

rule warzonerat_aveaariarat {
    meta:
        description = "Detects warzonerat/aveaariarat malware"
        author = "muha2xmad"
        date = "2023-08-24"
        hash1 = "f65a8af1100b56f2ebe014caeaa5bb2fbbca2da76cb99f3142354e31fbba5c8c"

    
    strings:       
        
        $browser_str001 = "\\Google\\Cache\\" fullword ascii wide
        $browser_str002 = "\\Google\\Chrome\\User Data\\Local State" fullword ascii wide
        $browser_str003 = "\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" fullword ascii wide
        $browser_str004 = "\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies" fullword ascii wide
        $browser_str005 = "\\Google\\Chrome\\User Data\\Default\\History" fullword ascii wide
        $browser_str006 = "\\Google\\Chrome\\User Data\\Default\\Login Data" fullword ascii wide
        $browser_str007 = "\\Google\\Chrome Beta\\User Data\\Default\\Login Data" fullword ascii wide
        $browser_str008 = "\\Microsoft\\Edge\\User Data\\Default\\Login Data" fullword ascii wide
        $browser_str009 = "\\logins.json" fullword ascii wide
        $browser_str010 = "\\Tencent\\QQBrowser\\User Data\\Local State" fullword ascii wide
        $browser_str011 = "\\UCBrowser\\User Data_i18n\\Default\\UC Login Data.17" fullword ascii wide
        $browser_str012 = "\\Google\\Media\\" fullword ascii wide
        $browser_str013 = "\\Google\\Cache\\" fullword ascii wide
        $browser_str014 = "\\Google\\Cache\\" fullword ascii wide

        $reg_str001 = "Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676" fullword wide
        $reg_str002 = "software\\Aerofox\\FoxmailPreview" fullword wide
        $reg_str003 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" fullword wide
        $reg_str004 = "SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters" fullword wide
        $reg_str005 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" fullword wide
        $reg_str006 = "SYSTEM\\CurrentControlSet\\ControlTerminal Server\\AddIns\\Clip Redirector" fullword wide
        $reg_str007 = "SYSTEM\\CurrentControlSet\\Services\\TermService" fullword wide


        $str001 = "QAaR$43!QAFff" fullword wide
        $str002 = "?lst@@YAXHJ@Z" fullword wide
        $str003 = "RDPClip" fullword wide
        $str004 = "AllowMultipleTSSessions" fullword wide
        $str005 = "fDenyTSConnections" fullword wide
        $str006 = "svchost.exe -k" fullword wide
        $str007 = "#Window Name: " fullword wide
        $str008 = "profiles.ini" fullword wide
        $str009 = "-Clipboard Grabbed-" fullword wide
        $str010 = "#Window Name: " fullword wide
        $str011 = ".zip" fullword wide
        $str012 = "SeDebugPrivilege" fullword wide
        $str013 = "rudp" fullword wide
        $str014 = "rpdp" fullword wide

        $APIs_str001= "SHGetKnownFolderPath" fullword ascii
        $APIs_str002= "SHGetSpecialFolderPathW" fullword ascii
        $APIs_str003= "SHCreateDirectoryExW" fullword ascii
        $APIs_str004= "SHGetFolderPathW" fullword ascii
        $APIs_str005= "Wow64DisableWow64FsRedirection" fullword ascii

        $command001 = "powershell Add-MpPreference -ExclusionPath " fullword wide
        $command002 = "powerShell.exe -windowstyle hidden -Command \"Compress-Archive -Path  ' " fullword wide
        $command003 = "shutdown.exe /r /t 00" fullword wide
        $command004 = "cmd.exe /C ping 1.2.3.4 -n 4 -w 1000 > Nul & cmd.exe /C " fullword wide
        $command005 = "powershell Add-MpPreference -ExclusionPath " fullword wide
        $command006 = "%SystemRoot%\\System32\\termsrv.dll" fullword wide

    condition:
        uint16(0) == 0x5a4d and (10 of ($browser_str0*) or 5 of ($reg_str0*) or 10 of ($str0*) or 5 of ($APIs_str*) or 5 of ($command0*))
}

Commands

Hex command	Description
0xC	Terminate a process
0xE	start remote shell
2	enumerate processes
4	enumerate disks
6	enumerate files
8 or 0x4A	send file to c2
0x22	download and execute
0x1A	uninstall the RAT from device
0x1C	execute dropped file
0x20	password recovery
0x24	start keylogger
0x26	terminate keylogger
0x28	setup and start RDP
0x4E	start RDP
0x3A	execute a specific file
0x48	create cmd process inject shellcode
0x4C	restart, cleanup, and delete
0x5C	take screenShot
0x5E	terminate taking screenshot
0x60	compress directory/directories
0x5A	terminate recording audio
0x54	record audio

IoCs

• Sample sha256 hash: f65a8af1100b56f2ebe014caeaa5bb2fbbca2da76cb99f3142354e31fbba5c8c

• C2: 89.117.76.41:4422

MITRE ATT&CK

I used pestudio PRO tool for helping to draw MITRE ATT&CK.

Figure MITRE ATT&CK

Quote

ما كان ذنب السراب إنما دهشة العطشى

تم بحمد الله وتوفيقه لا بعلم ولا بعمل

References

• [QuickNote] Decrypting the C2 configuration of Warzone RAT

• WarZone RAT OALABS

• Securonix Threat Labs Security Advisory

• Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT

• WARZONE: BEHIND THE ENEMY LINES