Warzone RAT Analysis

Malware-as-a-Service is a sure-fire way for cybercriminals to make money. Recently, different RATs have become very popular. While these RATs are all flagged as malicious, their developers act like legitimate software, offering different subscription plans and customer support, and some even have license and usage options. The developers of these tools are constantly improving them, adding new features. This article analyzes the Warzone RAT, whose developers offer a range of different features.

In the fall of 2018, the first Warzone RAT ad appeared on the warzone[.]io website. Currently, this sales service is located at warzone[.]pw. Malware operators operate a dynamic DNS service on warzonedns[.]com. According to the website’s description, the malware has the following capabilities and characteristics:

· No need for .net

·  Remote desktop via VNC

·  Hide Remote Desktop via RDPWrap

Privilege escalation ( also  available in the latest Windows 10 systems)

·  Remote web camera control

Browser and mainstream useful password stealing 

Download and  execute arbitrary files

·  Remote shell

·  File management

·  Process management

·  Reverse proxy

technical details

Warzone is a RAT written in C++ that works with all Windows distributions.

The malware developer has a dynamic DNS service on warzonedns[.]com, which means that buyers are not affected by IP address changes.

Warzone will bypass UAC (User Account Control) to bypass Windows defender and place itself in the start menu program list. Finally, run the path to process the C2 commands.

Researchers have discovered several different versions of Warzone, and the malware is constantly improving. Some features are different in different versions.

Bypass UAC

If the Warzone RAT is running with elevated privileges, the entire C:\ path will be added to Windows Defender’s whitelist. The PowerShell command used is:

powershell Add-MpPreference -ExclusionPath C:\

Additionally, the malware bypasses UAC and uses two methods for privilege escalation, one for Windows 10 and one for other older versions of Windows:

For versions earlier than Windows 10, use the UAC bypass method saved in resources.

For Windows 10, abuse the auto-elevation feature of sd clt.exe, which is intended for use in the Windows Backup and Recovery environment.

Windows 10 UAC Bypass

When sdclt.exe is killed by a medium integrity process (eg, a process with standard user privileges), the following events occur:

· It will run another process sdclt.exe with higher privileges.

·  High privilege sdclt process will call C:\Windows\System32\control.exe.

· The  control.exe process runs with elevated privileges and attempts to open the HKCU\Software\Classes\Folder\shell\open\command registry value.

The malware performs COM hijacking by setting the path to the HKCU\Software\Classes\Folder\shell\open\command key with the DelegateExecute parameter.

These actions can all be replaced with the following commands:

reg add “HKCU\Software\Classes\Folder\shell\open\command” /d “” /f

reg add HKCU\Software\Classes\Folder\shell\open\command /v “DelegateExecute” /f

Eventually, the malware will abort itself. and run with elevated privileges via sdclt.exe.

The malware decrypts the C2 server domain name and attempts to connect to the C2 server. After the server accepts the connection, it will send a packet with message ID = 0 and an empty payload to the client. The malware collects information about the compromised computer and sends it back to the server in a response packet. The response packet contains the following data:

SHA-1 value of MachineGUID

·  Attack activity ID.

·  OS version

·  Admin status

·  Whether WOW64 process

·  PC name

·  Malware storage path

·  MurmurHash3 value of malicious files

·  RAM value

·  CPU information

·  Video controller information

The Bot ID is the SHA-1 hash of the MachineGUID registry value in HKLM\Software\Microsoft\Cryptography.

The host then waits for a command from the server. Server message IDs are even numbers from 0x00 to 0x3C. Zombie host packs are IDs that add 0x01 to 0x3B. Some commands have no answer or have an empty payload in the response.

Zombies can also provide attackers with the ability to control infected PCs through remote shells, RDP, VNC consoles, etc. Features provided include remote task and file management, allowing the use of web cameras, and more.

The network communication messages are as follows:

The following table contains most of the message codes exchanged by the client and server. The message codes are different in different Warzone versions.

Manage panels

The researchers analyzed one of the leaked Warzone panels/builders and found that the Warzone version is 1.84. is written in .NET and obfuscated using a custom obfuscator.

Code obfuscation uses a lot of math and switch constructs to hide useful instructions without affecting control flow. For example, there are 365 lines of code in Figure 21, but there is only one purpose: to assign constructor parameters to class members.

Through the context menu corresponding to the bot, the buyer can use the remote command line, process and file controllers, and other features to take full control of the infected machine.

The panel bundle contains the following:

· Warzone RAT*.exe and Warzone RAT*.exe.config .NET assembly and panel configuration files.

· The  legitimate libraries license.dll and PETools.dll.

·  License file license.dat.

·  Builder’s Client Stub cratclient.bin (cb6d6f17c102a8288704fe38dd9e2cf9).

·  Directory Clients contain specific data for each client: downloaded files, logs, RDP passwords, etc.

·  Directory Datas contains legitimate software such as RDPWrap library, SQLite library, VNC clients (TightVNC and TigerVNC clients). These files are transmitted to the client when the corresponding feature is triggered.

in conclusion

Similar to other RATs, Warzone appears to be a legitimate tool and functions similarly to other RATs. Can be spread by other malware or via spam. On the other hand, similar to other RATs developed in .NET languages, Warzone is developed in the object-oriented language C++. Warzone uses the network protocol over tcp instead of using HTTP for communication. In addition to customized network protocols and network infrastructure, Warzone contains 2 different UAC bypass methods for Windows 10 and previous versions of Windows.