Key Takeaways
- In February, the FBI took down the WarzoneRAT malware operation, seizing its infrastructure and arrested two individuals linked to the cybercrime operation.
- Recently, Cyble Research and Intelligence Labs (CRIL) observed few samples of malware campaign possibly distributed via tax-themed spam emails, deploying WarzoneRAT (Avemaria) as the final payload.
- In first case, the compressed attachment contains a LNK file that downloads an HTA file, initiating a PowerShell command to download a VBScript file.
- This VBScript is further downloading and executing the next-stage PowerShell payload, which then injects the final payload into RegSvcs.exe utilizing Reflective loading technique.
- In another case, the compressed attachment contains an executable file that, upon execution, loads the malicious WarzoneRAT DLL module through DLL sideloading technique.
- Finally, WarzoneRAT initiates malicious activities on the victim’s machine, establishing a connection to the Command-and-Control (C&C) server.
Overview
Cyble Research & Intelligence Labs (CRIL) recently observed a campaign with tax-themed, possibly propagated through spam emails. Upon investigation, it was determined that the campaign spread WarzoneRAT (Avemaria) malware. AveMaria is a Remote Administration Tool (RAT) malware equipped with remote control capabilities, enabling it to receive commands from a Command and Control (C&C) server and execute various malicious actions.
This nefarious RAT was initially detected spreading through a malicious phishing campaign in 2018. In mid-February, the FBI disrupted the WarzoneRAT malware operation, seizing infrastructure and apprehending two individuals linked to the cybercrime scheme. Later in February, ThreatMon shared screenshots of an advertisement for WarZoneRAT v3, showcasing several new features aimed at improving its efficacy.
In the first scenario, the initial infection started with an archive file attached to a spam email with the subject “taxorganizer2023.” After extracting the archive file, a shortcut file disguised as a PNG file named “taxorganizer2023.png.lnk” is found. If a user mistakenly perceives this shortcut as an image and executes it. In that case, the LNK file launches a PowerShell command to download and extract an archive file, subsequently running an HTA file contained within it. Upon execution of the HTA file, it retrieves a PowerShell script in memory, which then downloads a VBScript file from a remote server. After execution of the VBScript, a CMD file is dropped, initiating another PowerShell script that deploys the final payload identified as WarzoneRAT (Avemaria).
In another scenario, the attachment of a spam email comprises a ZIP archive (MY TAX ORGANIZER.zip) containing three files: one legitimate EXE, one malicious DLL, and one PDF file. Upon running the legitimate EXE file, the DLL sideloading technique is utilized to load the malicious DLL, identified as WarzoneRAT.
The below figure shows the infection chain of the WarzoneRAT malware campaign.
Figure 1 – Overall infection chain
Technical Analysis
When user mistakenly perceives a LNK shortcut file as an image file (“taxorganizer2023.png.lnk”) and executes it, the LNK file initiates the download of a PNG extension file named “taxorganizer2023.png” from the below specified URL. Subsequently, it saves this PNG file with a ZIP file extension with the name “taxorganizer2023.zip” in the Downloads folder.
- hxxp://1287123hjdfsdyu8923748394234234234[.]duckdns[.]org/hvrm/taxorganizer2023.png
Afterward, it proceeds to extract the contents of the downloaded ZIP file to a designated location (C:UsersPublic). It then enters a loop, persistently verifying the presence of a file named “taxorganizer2023.hta” within the directory. Upon locating the file, it executes .hta file using Start-Process and exits the loop. Following this, it deletes the downloaded ZIP file and forcibly terminates any active instances of Microsoft Edge (msedge.exe) and Command Prompt (cmd.exe) using taskkill.
The below figure shows the target command-line of the shortcut file named “taxorganizer2023.png.lnk”
Figure 2 – LNK file target command-line
Upon execution of the “taxorganizer2023.hta” file, it runs the VBScript code embedded within it, as shown in the code snippet below.
Figure 3 – Content of HTA file before & after removing Junk codes
This VBScript code deobfuscates and retrieves a PowerShell script, as shown below.
Figure 4 – PowerShell code de-obfuscated from HTA
The PowerShell script is responsible for downloading a VBScript file named “Memory.vbs” from the following URL and saving it in the root of the %appdata% directory, subsequently executing it using WScript.exe.
- hxxp://1287123hjdfsdyu8923748394234234234[.]duckdns[.]org/hvrm/Memory.vbs
The below figure shows the content of the “Memory.vbs” script file before and after removing junk codes.
Figure 5 – Content of Memory.vbs file before & after removing Junk codes
When the “Memory.vbs” file is executed, it performs the following actions:
- Initially, the script invokes the function ExecuteRandomEquations(), which enters a loop for generating random equations and delays execution by a specified duration to enhance stealthiness, as shown below.
Figure 6 – ExecuteRandomEquations() function
- Subsequently, it verifies the username through the CheckUsername() function. If the username is “John,” the script exits.
- Following this, the script examines the running processes (such as ekrn.exe, egui.exe, AvastUI.exe, AvastSvc.exe, AVGUI.exe, AVGSvc.exe, avp.exe, and bdagent.exe) using a WMI query (Select * from Win32_Process). If any are detected, the script terminates to avoid detection by antivirus and security software, as depicted below.
Figure 7 – Terminating AV-related processes
- After this, the script creates a directory within the %appdata% folder named “WindowsServices.” Following this, it retrieves a PowerShell script from a designated URL (hxxps://textbin[.]net/raw/qo6iwgrjgy) and saves it within the aforementioned folder under the name “BTYSA.ps1.”
- Next to that, it creates a “VROLX.cmd” file that executes the “BTYSA.ps1” PowerShell script upon execution. Both files are in hidden mode.
Figure 8 – Content of CMD file
- Additionally, it creates two files: “ORHYY.vbs” and “WindowsServices-VAQVU.lnk” within the Windows startup folder for persistence.
- The shortcut file includes a target command-line to execute the “ORHYY.vbs” file, which contains a code that incorporates a sleep operation and initiates the execution of the “VROLX.cmd” file located within the %appdata%\WindowsServices directory, as illustrated below.
Figure 9 – Files dropped at Startup folders for persistence
- Finally, the script launches the “VROLX.cmd” file, consequently initiating the execution of the PowerShell script “BTYSA.ps1.”
Figure 10 – Execution of PowerShell payload
The below image illustrates the code snippet of the downloaded PowerShell script named “BTYSA.ps1.”
Figure 11 – Content of BTYSA.ps1 file
Upon execution of the “BTYSA.ps1” file, it carries out the following tasks:
- Initially, it copies the “RegSvcs.exe” file from the Microsoft .NET Framework directory to the %temp% folder.
- Following that, it de-obfuscates an embedded PowerShell content stored in the variables “$CLE11” and “$RNBX1.” The result byte arrays are then stored in the variables “$WULC4” and “$YIV4Z” respectively.
- The content of the “$WULC4” byte array is recognized as the primary payload malware referred to as “WarzoneRAT” (also known as Avemaria).
- The byte array “$YIV4Z” is identified as a .NET injector payload designed to inject the main payload into a legitimate process.
- The primary objective of the PowerShell script involves dynamically loading the .NET injector payload during runtime using the reflective assembly loading technique. Subsequently, it injects the main malware payload into the “RegSvcs.exe” process by utilizing the methods Execute() and Invoke().
Figure 12 – .Net injector payload code snippet
- During runtime, the PowerShell script generates the following command to inject the malware payload into “RegSvcs.exe”:
- [Ref].Assembly::Load(holakabutr($RNBX1)).GetType(‘CALC.PAYSIAS’).’GetMethod'(Execute).Invoke().Invoke($null,[object[]] ($Path,holakabutr($CLE11))
- Through obfuscation, the .NET loader masks important APIs used for the injection process, such as CreateProcess(), VirtualAllocEx(), ResumeThread(), WriteProcessMemory(), among others.
- Furthermore, the PowerShell script includes two instances of obfuscated embedded content, which, upon de-obfuscation, retrieve additional PowerShell scripts as shown in the below figure, subsequently executed using “IEX” (Invoke-Expression).
- The first PowerShell script performs a sequence of operations designed to circumvent security measures. These include modifying registry settings to disable script block logging, evading AMSI (Anti-Malware Scan Interface) security checks through memory patching of the AmsiScanBuffer() function, and manipulating memory to bypass further security measures, involving dynamic library loading and function patching.
- The second PowerShell script configures Windows Defender by adding exclusions and modifying threat detection settings. It adjusts system preferences such as UAC and disables Windows Defender services. Additionally, it creates a new user account, stops specific services, and disables Windows Firewall, etc.
Figure 13 – PowerShell script for AMSI bypass & disable windows defender settings
Final Payload: WarzoneRAT (Avemaria)
WarzoneRAT (aka Avemaria) is a Remote Access Trojan (RAT) designed to illicitly access and control a victim’s computer system from a remote location. This malware allows threat actors to execute a range of unauthorized actions within the compromised system. Its nefarious capabilities encompass data exfiltration, privilege escalation, remote desktop manipulation, harvesting of email and browser credentials, keylogging, and other intrusive activities. A comprehensive analysis of the Avemaria RAT can be found in a blog post by Splunk.
The figure below displays the hardcoded strings found within the Avemaria binary executable, highlighting instances where the malware name is present within the file.
Figure 14 – Hardcoded strings of Avemaria
The figure below illustrates the process tree of the WarzoneRAT (Avemaria), starting from a disguised shortcut file.
Figure 15 – Process tree
DLL SideLoading
In another case, the compressed ZIP (MY TAX ORGANIZER.zip) comprises three files named “INVOICE_LA_PDF.LNK.exe,” “Tier1.pdof,” and “g2m.dll,” as shown below. The “g2m.dll” file is identified as a WarzoneRAT malware binary.
Figure 16 – Files inside the MY TAX ORGANIZER.zip
When the “INVOICE_LA_PDF.LNK.exe” file is executed, it employs the DLL sideloading technique to load the malware DLL into the process memory of the executable, as demonstrated below.
Figure 17 – DLL sideloading method
Additionally, the malware launches a command prompt to create a copy of the DLL file in the root of the %appdata% directory, naming it “VIVA_01.dll,” and establishes the following registry entry to ensure persistence.
- cmd.exe /C reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “*Chrome” /t REG_SZ /d “rundll32.exe C:\Users\<Admin>\AppData\Roaming\VIVA_01.dll”,EntryPoint /f & exit
The figure below depicts the process tree of the WarzoneRAT (Avemaria), in another instance of the campaign.
Figure 18 – Process tree
After being executed, the malware establishes a connection to the following command and control (C&C) domain along with its port:
- l34d3r[.]duckdns[.]org:4047
Conclusion
Threat Actors frequently employ themed spam email attachments to exploit the trust and anticipation of the recipient. By disguising malicious content within seemingly legitimate and relevant themes, such as tax-related documents, TAs increase the chances of users opening the attachments. In this campaign, TAs employ tax-themed spam emails to entice users to fall victim to WarzoneRAT malware infections. It appears that WarzoneRAT has resurfaced following the FBI’s dismantling of its malware operation in February. The infection method involves employing Reflective loading, DLL sideloading, and several other techniques to facilitate the infection process. By utilizing a range of techniques, TAs seek to enhance the complexity and efficiency of their attacks, thereby complicating the detection, prevention, and response efforts of defenders.
Our Recommendations
- The initial breach possibly occurs via spam emails. Therefore, it’s advisable to deploy strong email filtering systems for identifying and preventing the dissemination of harmful attachments.
- When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.
- Consider disabling or limiting the execution of scripting languages, such as PowerShell, on user workstations and servers if they are not essential for legitimate purposes.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
- Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
- Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
- Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Initial Access (TA0001) | Spearphishing Attachment (T1566.001) | This malware reaches users via spam email. |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell (T1059.003) | cmd.exe is used to run commands of shortcut file and dropped CMD file. |
| Execution (TA0002) | Command and Scripting Interpreter: Visual Basic (T1059.005) | VBScript is utilized to download PowerShell scripts and execute defense evasion checks. |
| Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) | The PowerShell script is employed to deploy the final payload and execute process injection. |
| Execution (TA0002) | Windows Management Instrumentation (T1047) | Queries process information (via WMI, Win32_Process) |
| Persistence (TA0002) | Registry Run Keys / Startup Folder (T1053.001) | Drops script file into startup folder for persistence. |
| Defense Evasion (TA0005) | Masquerading (T1036) | LNK file masqueraded as PNG and ZIP file masqueraded as PNG. |
| Defense Evasion (TA0005) | Obfuscated Files or Information (T1027) | It uses obfuscated scripts to avoid detections. |
| Defense Evasion (TA0005) | Process Injection (T1055) | Injects a PE file into a RegSvcs.exe process. |
| Defense Evasion (TA0005) | System Binary Proxy Execution: Mshta (T1218.005) | Abuse mshta.exe to proxy execution of malicious VBScript. |
| Defense Evasion (TA0005) | Disable or Modify Tools (T1562.001) | Uses taskkill to terminate processes. |
| Defense Evasion (TA0005) | Hidden Files and Directories (T1564.001) | Hides that the sample has been downloaded from the Internet. |
| Discovery (TA0007) | Process Discovery (T1057) | Queries a list of all running processes. |
| Discovery (TA0007) | System Information Discovery (T1082) | Queries process information (via WMI, Win32_Process) |
| Collection (TA0009) | Email Collection (T1114) | Collects email related files. |
| C&C (TA0011) | Application Layer Protocol (T1071) | Malware exe communicate to C&C server. |
| C&C (TA0011) | Ingress Tool Transfer (T1105) | Downloads files from webservers via HTTP. |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| ab948b1b43223abb9f8196a544949aea dceb0090befd7cd7edaee548cf042e85da2ce69e 2971e7072c7dfb85a344902662efb86f785a2d728104124bf4abef5d44be9e72 | MD5 SHA1 SHA256 | taxorganizer 2023.png.lnk |
| hxxp://1287123hjdfsdyu8923748394234234234[.]duckdns[.]org/hvrm/ taxorganizer2023.png | URL | Download archive file |
| 5940164749679a23816e355582de084c f803c161ff438054eb513e43237fa1b2901b7757 0176aa357685dee1cd9f32e77d2b3c4d89dc9983d41fcd27df455d2045777d6c | MD5 SHA1 SHA256 | taxorganizer 2023.png (ZIP file) |
| eaf8f799d9b31afd8569f7e272249868 03f9287ac8b560df6f88ab047042ee421ac6aa3c 70e7b2dcae22dd61babfb82eb1691cbe2d3c699099a9ec5d14a510a14c235b36 | MD5 SHA1 SHA256 | taxorganizer 2023.hta |
| hxxp://1287123hjdfsdyu8923748394234234234[.]duckdns[.]org/hvrm/ Memory.vbs | URL | download VBS file |
| b17c5823c4e6a91173c2d063f1d09dc5 aa25a3d22e94063ddb749376ac87b8ab5fcd93b4 74ad9efa572449669893947c6eca7696280def08da3413f9635ab5b1ee91adf4 | MD5 SHA1 SHA256 | memory.vbs |
| hxxps://textbin[.]net/raw/qo6iwgrjgy | URL | download PS file |
| 31cb3c2da4ee918adfa97168db6b565a ccf35f0a944ca5e80caa4e2f56065aa3e089638f b57ee4991cd5316fe47a382db879dc0ae784c2f974f395939987ae174c1a48a7 | MD5 SHA1 SHA256 | BTYSA.ps1 |
| bc1705db6ccc60784390e7ae66887148 6ff6a0ed3412f944b2a74479993b7e5dc56773d9 39e67f25b0fa660db0541bf37e315fb4def772bd3b6d67991b64a5a85914477d | MD5 SHA1 SHA256 | test.exe (.Net injector) |
| dd94249831862f21373a8f17bed2e8bf ab2e86e25dcf119ad390e93e65230549add93c30 55d1b2bf357d28efba4e5b130624c9de4a2afd0b5868275e506887f95ca17c48 | MD5 SHA1 SHA256 | WarzoneRAT (Avemaria) |
| 6306dcae34a5eec8a6264e82c93e0f21 47d2e84d8cbe09a83e29ad52da9cc88b77766664 b87676d267712ec64e015c7a1aa689cd951a581841db4208a758aa1c0b16b68f | MD5 SHA1 SHA256 | MY TAX ORGANIZER.zip |
| e74edf0e25243707b521025e35581273 61037e709b30fab28f52de0d6489f3f3433c7146 3d7c57fd5e035b159d4f1460989924756a725db772787cf8ad67d543c510fe54 | MD5 SHA1 SHA256 | G2M.dll |
| l34d3r[.]duckdns[.]org:4047 | Domain | C&C |
