A new case of Warzone RAT, running as Malware-as-a-Service (MaaS) has come to the notice of researchers. The RAT, which is a popular choice for aspiring miscreants on a budget, has been found in a new email phishing campaign targeting users in Hungary.
About the campaign
According to researchers from FortiGuard Labs, the purported phishing emails inform users that their credentials to a government portal have changed and that new ones are attached within.
The portal in question is used to conduct official business online such as submitting documents and ordering IDs.
The attachment is a zip file that contains an executable pretending to be a PDF. Upon execution, the PDF extracts Warzone RAT to memory and runs it.
The attack also uses .dll files and reverse engineering techniques to increase the level of obfuscation.
The ultimate goal of the campaign is to gain remote access to Microsoft Windows.
About Warzone RAT
Warzone RAT is a well-known malware that is publicly available on the internet and anybody can access it through a subscription model.
The malware is often referred to as Ave Maria Stealer as it borrows source code from the latter.
It offers a wide range of functionality to its subscribers. These include recording keystrokes, harvesting cookies, providing remote access to a desktop and webcam, pilfering passwords, and maintaining persistence, among others.
Warzone also provides multiple ways to escalate privileges depending on the Windows version.
While remote access tools are providing versatile support to organizations, these tools have become increasingly popular among cybercriminals to launch cyberattacks.
Use of RATs on the rise
Attackers are abusing such tools to install backdoor malware and to take over victim systems among other malicious activities.
Warzone is one of the widely used RATs, along with Remcos, BitRAT, RedLine, and NanoCore.
In September, the Russian Sandworm APT group was spotted targeting Ukraine by pretending to be telecom providers. The end goal was to deploy Warzone RAT and Colibri Loader on critical systems.
Using remote access tools such as Warzone as final payloads can enable cybercriminals to perform various malicious activities that can impact an organization’s credentials and other data. As the malware is primarily distributed via phishing emails, organizations must have proper email security checks installed to thwart such threats.