ACG-CYBER SECURITY BULLETIN NR 378: How to Safeguard Your Network from WarZone Remote Access Trojan

Posted on February 20, 2025

Reference Number ACG-CSB 012725378

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

WarZone RAT is a Remote Access Trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its Command and Control (C2) infrastructure.

The range of capabilities of the malware includes information stealing, infected systems manipulation, and initiation of targeted attacks against organizations. Easy accessibility, frequent updates, and the ever-expanding set of features make WarZone RAT one of the most prevalent RATs in the global threat landscape.

This RAT operates stealthily and grants attackers’ access to various functionalities within the compromised system. Its malicious activity includes data theft, privilege escalation, remote desktop control, file management, webcam capture, live and offline keylogger, email credential collections, browser credential parsing and more. is notorious for distributing spam email campaigns to disseminate its malware. These spam emails are cleverly crafted to include a malicious attachment, which takes advantage of a vulnerability in Microsoft Equation Editor, to infect unsuspecting victims’ systems.

WarZoneRAT uses a Dynamic-Link Library (DLL) hijacking exploit. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

The malware also implements obfuscation and evasion techniques to make detection a challenge. The malware includes a function designed to evade security tools like Windows Defender using PowerShell. It achieves this by adding its malware file path to the Windows Defender ExclusionPath, the function responsible for initializing and executing the PowerShell command, ensuring that the malware’s path remains excluded from scanning by Windows Defender. For instance, WarZone RAT can bypass User Account Control (UAC) to escalate privileges, installing itself on the victim’s system. It also leverages process hollowing, which involves executing malicious binary as part of a legitimate process. Additionally, it makes use of anti-debugging mechanisms, complicating analysts’ investigations.

Threat Actors frequently employ themed spam email attachments to exploit the trust and anticipation of the recipient. By disguising malicious content within seemingly legitimate to entice users to fall victim to WarzoneRAT malware infections.

WarZoneRAT is a serious threat to organizations and individuals, and it is vital to be aware of the malware’s capabilities and distribution methods to avoid infection. The most effective solution to protecting your infrastructure from this malicious program is to steer clear of downloading attachments and files from senders and sources you do not know or trust. Individual can also check any suspicious file or URL in the ANY.RUN sandbox to receive a conclusive verdict on whether it is malicious or not.nd remind them of the risks of spreading unverified information.

RECOMMENDATION

The public is advised to follow these tips to avoid being a victim of WarZone Remote Access Trojan attacks:

Implement network segmentation;
Never open unsolicited email attachments;
Implement Multi-Factor Authentication (MFA);
Run regular security testing;
Keep your software and internet connected devices updated; and
Use an up-to-date anti-malware solution;

For additional information, please refer to the following websites:

https://any.run/malware-trends/avemaria/
https://www.splunk.com/en_us/blog/security/defending-the-gates-understanding-and-detecting-ave-maria-warzone-rat.html
https://www.upguard.com/blog/best-practices-to-prevent-ransomware-attacks

POINT OF CONTACT

Please contact PLTCOL JERRY V EMPIZO, Officer-In-Charge, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.