Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

WarzoneRAT

WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)
ID: S0670
Associated Software: Ave Maria
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 27 Dec 2021
Last Modified: 03 Oct 2023

Associated Software Descriptions

Name Description
Ave Maria (Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

WarzoneRAT can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

WarzoneRAT can add itself to the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK` Registry keys.(Citation: Check Point Warzone Feb 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WarzoneRAT can use PowerShell to download files and execute commands.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

WarzoneRAT can use `cmd.exe` to execute malicious code.(Citation: Check Point Warzone Feb 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

WarzoneRAT can encrypt its C2 with RC4 with the password `warzone160\x00`.(Citation: Check Point Warzone Feb 2020)

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

WarzoneRAT can perform COM hijacking by setting the path to itself to the `HKCU\Software\Classes\Folder\shell\open\command` key with a `DelegateExecute` parameter.(Citation: Check Point Warzone Feb 2020)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

WarzoneRAT has the ability of performing remote desktop access via a hVNC window for decreased visibility.(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.(Citation: Check Point Warzone Feb 2020)

Enterprise T1056 .001 Input Capture: Keylogging

WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the `GetAsyncKeyState` Windows API.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

WarzoneRAT has been distributed as a malicious attachment within an email.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Confucius APT Jan 2021)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

WarzoneRAT has the ability to control an infected PC using RDP.(Citation: Check Point Warzone Feb 2020)

.005 Remote Services: VNC

WarzoneRAT has the ability of performing remote desktop access via a VNC console.(Citation: Check Point Warzone Feb 2020)

Enterprise T1204 .002 User Execution: Malicious File

WarzoneRAT has relied on a victim to open a malicious attachment within an email for execution.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Confucius APT Jan 2021)

Groups That Use This Software

ID Name References
G1018 TA2541

(Citation: Proofpoint TA2541 February 2022)

G1015 Scattered Spider

(Citation: CISA Scattered Spider Advisory November 2023)

G0142 Confucius

(Citation: Check Point Warzone Feb 2020) (Citation: Uptycs Confucius APT Jan 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.