WarzoneRAT
Associated Software Descriptions |
|
Name | Description |
---|---|
Ave Maria | (Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
WarzoneRAT can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
WarzoneRAT can add itself to the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK` Registry keys.(Citation: Check Point Warzone Feb 2020) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
WarzoneRAT can use PowerShell to download files and execute commands.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
WarzoneRAT can use `cmd.exe` to execute malicious code.(Citation: Check Point Warzone Feb 2020) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
WarzoneRAT can encrypt its C2 with RC4 with the password `warzone160\x00`.(Citation: Check Point Warzone Feb 2020) |
Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
WarzoneRAT can perform COM hijacking by setting the path to itself to the `HKCU\Software\Classes\Folder\shell\open\command` key with a `DelegateExecute` parameter.(Citation: Check Point Warzone Feb 2020) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
WarzoneRAT has the ability of performing remote desktop access via a hVNC window for decreased visibility.(Citation: Bitdefender Trickbot VNC module Whitepaper 2021) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.(Citation: Check Point Warzone Feb 2020) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the `GetAsyncKeyState` Windows API.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
WarzoneRAT has been distributed as a malicious attachment within an email.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Confucius APT Jan 2021) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
WarzoneRAT has the ability to control an infected PC using RDP.(Citation: Check Point Warzone Feb 2020) |
.005 | Remote Services: VNC |
WarzoneRAT has the ability of performing remote desktop access via a VNC console.(Citation: Check Point Warzone Feb 2020) |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
WarzoneRAT has relied on a victim to open a malicious attachment within an email for execution.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Confucius APT Jan 2021) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G1018 | TA2541 |
(Citation: Proofpoint TA2541 February 2022) |
G1015 | Scattered Spider |
(Citation: CISA Scattered Spider Advisory November 2023) |
G0142 | Confucius |
(Citation: Check Point Warzone Feb 2020) (Citation: Uptycs Confucius APT Jan 2021) |
References
- Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
- Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
- Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
- CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
- Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.