Key Takeaways

• In February, the FBI took down the WarzoneRAT malware operation, seizing its infrastructure and arrested two individuals linked to the cybercrime operation. 
• Recently, Cyble Research and Intelligence Labs (CRIL) observed few samples of malware campaign possibly distributed via tax-themed spam emails, deploying WarzoneRAT (Avemaria) as the final payload. 
• In first case, the compressed attachment contains a LNK file that downloads an HTA file, initiating a PowerShell command to download a VBScript file.  
• This VBScript is further downloading and executing the next-stage PowerShell payload, which then injects the final payload into RegSvcs.exe utilizing Reflective loading technique. 
• In another case, the compressed attachment contains an executable file that, upon execution, loads the malicious WarzoneRAT DLL module through DLL sideloading technique. 
• Finally, WarzoneRAT initiates malicious activities on the victim’s machine, establishing a connection to the Command-and-Control (C&C) server. 

Overview

Cyble Research & Intelligence Labs (CRIL) recently observed a campaign with tax-themed, possibly propagated through spam emails. Upon investigation, it was determined that the campaign spread WarzoneRAT (Avemaria) malware. AveMaria is a Remote Administration Tool (RAT) malware equipped with remote control capabilities, enabling it to receive commands from a Command and Control (C&C) server and execute various malicious actions.

This nefarious RAT was initially detected spreading through a malicious phishing campaign in 2018. In mid-February, the FBI disrupted the WarzoneRAT malware operation, seizing infrastructure and apprehending two individuals linked to the cybercrime scheme. Later in February, ThreatMon shared screenshots of an advertisement for WarZoneRAT v3, showcasing several new features aimed at improving its efficacy.

In the first scenario, the initial infection started with an archive file attached to a spam email with the subject “taxorganizer2023.” After extracting the archive file, a shortcut file disguised as a PNG file named “taxorganizer2023.png.lnk” is found. If a user mistakenly perceives this shortcut as an image and executes it. In that case, the LNK file launches a PowerShell command to download and extract an archive file, subsequently running an HTA file contained within it. Upon execution of the HTA file, it retrieves a PowerShell script in memory, which then downloads a VBScript file from a remote server. After execution of the VBScript, a CMD file is dropped, initiating another PowerShell script that deploys the final payload identified as WarzoneRAT (Avemaria).

In another scenario, the attachment of a spam email comprises a ZIP archive (MY TAX ORGANIZER.zip) containing three files: one legitimate EXE, one malicious DLL, and one PDF file. Upon running the legitimate EXE file, the DLL sideloading technique is utilized to load the malicious DLL, identified as WarzoneRAT.

The below figure shows the infection chain of the WarzoneRAT malware campaign.

Figure 1 – Overall infection chain

Technical Analysis

When user mistakenly perceives a LNK shortcut file as an image file (“taxorganizer2023.png.lnk”) and executes it, the LNK file initiates the download of a PNG extension file named “taxorganizer2023.png” from the below specified URL. Subsequently, it saves this PNG file with a ZIP file extension with the name “taxorganizer2023.zip” in the Downloads folder.

• hxxp://1287123hjdfsdyu8923748394234234234[.]duckdns[.]org/hvrm/taxorganizer2023.png 

Afterward, it proceeds to extract the contents of the downloaded ZIP file to a designated location (C:UsersPublic). It then enters a loop, persistently verifying the presence of a file named “taxorganizer2023.hta” within the directory. Upon locating the file, it executes .hta file using Start-Process and exits the loop. Following this, it deletes the downloaded ZIP file and forcibly terminates any active instances of Microsoft Edge (msedge.exe) and Command Prompt (cmd.exe) using taskkill.

The below figure shows the target command-line of the shortcut file named “taxorganizer2023.png.lnk”

Figure 2 – LNK file target command-line

Upon execution of the “taxorganizer2023.hta” file, it runs the VBScript code embedded within it, as shown in the code snippet below. 

Figure 3 – Content of HTA file before & after removing Junk codes

This VBScript code deobfuscates and retrieves a PowerShell script, as shown below.  

Figure 4 – PowerShell code de-obfuscated from HTA 

The PowerShell script is responsible for downloading a VBScript file named “Memory.vbs” from the following URL and saving it in the root of the %appdata% directory, subsequently executing it using WScript.exe.

• hxxp://1287123hjdfsdyu8923748394234234234[.]duckdns[.]org/hvrm/Memory.vbs 

The below figure shows the content of the “Memory.vbs” script file before and after removing junk codes.

Figure 5 – Content of Memory.vbs file before & after removing Junk codes

When the “Memory.vbs” file is executed, it performs the following actions:

• Initially, the script invokes the function ExecuteRandomEquations(), which enters a loop for generating random equations and delays execution by a specified duration to enhance stealthiness, as shown below. 

Figure 6 – ExecuteRandomEquations() function

• Subsequently, it verifies the username through the CheckUsername() function. If the username is “John,” the script exits. 

• Following this, the script examines the running processes (such as ekrn.exe, egui.exe, AvastUI.exe, AvastSvc.exe, AVGUI.exe, AVGSvc.exe, avp.exe, and bdagent.exe) using a WMI query (Select * from Win32_Process). If any are detected, the script terminates to avoid detection by antivirus and security software, as depicted below. 

Figure 7 – Terminating AV-related processes

• After this, the script creates a directory within the %appdata% folder named “WindowsServices.” Following this, it retrieves a PowerShell script from a designated URL (hxxps://textbin[.]net/raw/qo6iwgrjgy) and saves it within the aforementioned folder under the name “BTYSA.ps1.” 
• Next to that, it creates a “VROLX.cmd” file that executes the “BTYSA.ps1” PowerShell script upon execution. Both files are in hidden mode. 

Figure 8 – Content of CMD file

• Additionally, it creates two files: “ORHYY.vbs” and “WindowsServices-VAQVU.lnk” within the Windows startup folder for persistence. 

• The shortcut file includes a target command-line to execute the “ORHYY.vbs” file, which contains a code that incorporates a sleep operation and initiates the execution of the “VROLX.cmd” file located within the %appdata%\WindowsServices directory, as illustrated below. 

Figure 9 – Files dropped at Startup folders for persistence

• Finally, the script launches the “VROLX.cmd” file, consequently initiating the execution of the PowerShell script “BTYSA.ps1.” 

Figure 10 – Execution of PowerShell payload

The below image illustrates the code snippet of the downloaded PowerShell script named “BTYSA.ps1.”

Figure 11 – Content of BTYSA.ps1 file

Upon execution of the “BTYSA.ps1” file, it carries out the following tasks:

• Initially, it copies the “RegSvcs.exe” file from the Microsoft .NET Framework directory to the %temp% folder. 
• Following that, it de-obfuscates an embedded PowerShell content stored in the variables “$CLE11” and “$RNBX1.” The result byte arrays are then stored in the variables “$WULC4” and “$YIV4Z” respectively. 
• The content of the “$WULC4” byte array is recognized as the primary payload malware referred to as “WarzoneRAT” (also known as Avemaria). 
• The byte array “$YIV4Z” is identified as a .NET injector payload designed to inject the main payload into a legitimate process. 
• The primary objective of the PowerShell script involves dynamically loading the .NET injector payload during runtime using the reflective assembly loading technique. Subsequently, it injects the main malware payload into the “RegSvcs.exe” process by utilizing the methods Execute() and Invoke(). 

Figure 12 – .Net injector payload code snippet

• During runtime, the PowerShell script generates the following command to inject the malware payload into “RegSvcs.exe”: 
• [Ref].Assembly::Load(holakabutr($RNBX1)).GetType(‘CALC.PAYSIAS’).’GetMethod'(Execute).Invoke().Invoke($null,[object[]] ($Path,holakabutr($CLE11)) 
• Through obfuscation, the .NET loader masks important APIs used for the injection process, such as CreateProcess(), VirtualAllocEx(), ResumeThread(), WriteProcessMemory(), among others. 
• Furthermore, the PowerShell script includes two instances of obfuscated embedded content, which, upon de-obfuscation, retrieve additional PowerShell scripts as shown in the below figure, subsequently executed using “IEX” (Invoke-Expression). 
• The first PowerShell script performs a sequence of operations designed to circumvent security measures. These include modifying registry settings to disable script block logging, evading AMSI (Anti-Malware Scan Interface) security checks through memory patching of the AmsiScanBuffer() function, and manipulating memory to bypass further security measures, involving dynamic library loading and function patching. 
• The second PowerShell script configures Windows Defender by adding exclusions and modifying threat detection settings. It adjusts system preferences such as UAC and disables Windows Defender services. Additionally, it creates a new user account, stops specific services, and disables Windows Firewall, etc. 

Figure 13 – PowerShell script for AMSI bypass & disable windows defender settings 

Final Payload: WarzoneRAT (Avemaria)

WarzoneRAT (aka Avemaria) is a Remote Access Trojan (RAT) designed to illicitly access and control a victim’s computer system from a remote location. This malware allows threat actors to execute a range of unauthorized actions within the compromised system. Its nefarious capabilities encompass data exfiltration, privilege escalation, remote desktop manipulation, harvesting of email and browser credentials, keylogging, and other intrusive activities. A comprehensive analysis of the Avemaria RAT can be found in a blog post by Splunk.

The figure below displays the hardcoded strings found within the Avemaria binary executable, highlighting instances where the malware name is present within the file.

Figure 14 – Hardcoded strings of Avemaria

The figure below illustrates the process tree of the WarzoneRAT (Avemaria), starting from a disguised shortcut file.

Figure 15 – Process tree

DLL SideLoading

In another case, the compressed ZIP (MY TAX ORGANIZER.zip) comprises three files named “INVOICE_LA_PDF.LNK.exe,” “Tier1.pdof,” and “g2m.dll,” as shown below. The “g2m.dll” file is identified as a WarzoneRAT malware binary.

Figure 16 – Files inside the MY TAX ORGANIZER.zip

When the “INVOICE_LA_PDF.LNK.exe” file is executed, it employs the DLL sideloading technique to load the malware DLL into the process memory of the executable, as demonstrated below.

Figure 17 – DLL sideloading method 

Additionally, the malware launches a command prompt to create a copy of the DLL file in the root of the %appdata% directory, naming it “VIVA_01.dll,” and establishes the following registry entry to ensure persistence.

• cmd.exe /C reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “*Chrome” /t REG_SZ /d “rundll32.exe C:\Users\<Admin>\AppData\Roaming\VIVA_01.dll”,EntryPoint /f & exit 

The figure below depicts the process tree of the WarzoneRAT (Avemaria), in another instance of the campaign.

Figure 18 – Process tree

After being executed, the malware establishes a connection to the following command and control (C&C) domain along with its port:

• l34d3r[.]duckdns[.]org:4047 

Conclusion

Threat Actors frequently employ themed spam email attachments to exploit the trust and anticipation of the recipient. By disguising malicious content within seemingly legitimate and relevant themes, such as tax-related documents, TAs increase the chances of users opening the attachments. In this campaign, TAs employ tax-themed spam emails to entice users to fall victim to WarzoneRAT malware infections. It appears that WarzoneRAT has resurfaced following the FBI’s dismantling of its malware operation in February. The infection method involves employing Reflective loading, DLL sideloading, and several other techniques to facilitate the infection process. By utilizing a range of techniques, TAs seek to enhance the complexity and efficiency of their attacks, thereby complicating the detection, prevention, and response efforts of defenders.

Our Recommendations

• The initial breach possibly occurs via spam emails. Therefore, it’s advisable to deploy strong email filtering systems for identifying and preventing the dissemination of harmful attachments. 
• When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious. 
• Consider disabling or limiting the execution of scripting languages, such as PowerShell, on user workstations and servers if they are not essential for legitimate purposes. 
• Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files. 
• Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication. 
• Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches. 
• Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals. 

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

References

• https://www.splunk.com/en_us/blog/security/defending-the-gates-understanding-and-detecting-ave-maria-warzone-rat.html 
• https://www.bleepingcomputer.com/news/security/fbi-seizes-warzone-rat-infrastructure-arrests-malware-vendor/ 
• https://twitter.com/MonThreat/status/1762476715987624306 

Related