Security researchers have spotted an ongoing Confucius APT campaign that leverages Warzone RAT malware to compromise its targets. The campaign is presumably aimed at the governmental sector of China and other South Asia countries.
Warzone remote access Trojan (RAT), a prolific successor of AveMaria stealer, first emerged in 2018 as a malware-as-a-service (MaaS) strain. Throughout the 2020 Warzone was significantly mastered by its operators to increase the competitiveness in the malicious arena. The Trojan is currently sold for $23-$50, depending on the rent period that might vary from one to three months. Also, Warzone offers several paid options, including a RAT poison, a Crypter, and silent exploits for .DOC and Excel. Furthermore, a cracked version of the Trojan was uploaded on GitHub, which broadens the adoption of malware throughout the cyber-criminal community.
So what is Warzone RAT malware? Warzone is a full-fledged remote access Trojan written in C++ language and compatible with most Windows versions. According to the researchers’ analysis, the Trojan can provide full remote control of the targeted PC. The list of capabilities includes automatic password-dumping from major browsers and email clients (Chrome, Firefox, Opera, Internet Explorer, Thunderbird, Foxmail, Outlook, and more). Also, the malware can download and execute files on the compromised device, perform keylogging and command execution, connect the webcam module, enable reverse proxy, and facilitate remote shell.
It is worth noting that Warzone RAT is successful at evading detection and elevating its privileges on the compromised machine. The malware incorporates a UAC bypass able to overcome the default file system restrictions in Windows 10. It is done by misusing the sdclt.exe feature within the backup and restore functionality of the system. For earlier Windows versions, the malware applies a distinct UAC bypass included in its configuration.
The researchers from Uptycs have analyzed Warzone’s attack kill chain leveraged in the latest Confucius APT campaign. The intrusion starts from a decoy document named “China Cruise Missiles Capabilities-Implications for the Indian Army.docx.” Such a lure might grab the attention of employees within the targeted government departments since it describes the current border tensions between India and China. In case a user was convinced to open the document, it downloads the next-stage RTF exploit via template injection. The exploit, in turn, drops the final Warzone RAT payload via embedded DLL.
The DLL analysis allowed researchers to identify three more decoy documents probably aimed at other public sector targets in the region. The lures are related to the military activity of China at Taiwan Strait, Joe Biden’s decisions on nuclear weapon issues, and the job application to the Pakistan Space & Upper Atmosphere Research Commission (SUPARCO). The baits had been distributed since October 2020, indicating that the campaign lasts at least several months.
To detect the malicious activity of Warzone RAT, you might download a fresh Sigma rule released by our Threat Bounty developer Osman Demir:
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness
Tactics: Execution, Persistence
Techniques: Command-Line Interface (T1059), Registry Run Keys/Startup Folder (T1060)
In case you don’t have a paid access to the Threat Detection Marketplace, you might activate your free trial under a community subscription to unlock the Sigma rule related to the Warzone remote access Trojan.
To reach more relevant SOC content available at our platform for free, subscribe to Threat Detection Marketplace. We have 81,000+ detection content items compatible with the most with the majority of SIEM, EDR, NTDR, and SOAR platforms. Inspired to create your own Sigma rules and contribute to the threat hunting initiatives? Join our Threat Bounty Program for a safer future!