Thursday, February 6, 2025
Homecyber securityWarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

Published on

SIEM as a Service

Follow Us on Google News

The notorious WarzoneRAT malware has made a comeback, despite the FBI’s recent efforts to dismantle its operations.

Initially detected in 2018, WarzoneRAT was disrupted by the FBI in mid-February when they seized the malware’s infrastructure and arrested two individuals linked to the cybercrime scheme.

However, ThreatMon’s recent advertisement for WarZoneRAT v3, with its enhanced features, indicates that the threat actors are far from giving up.

Cybersecurity experts at Cyble Research & Intelligence Labs (CRIL) have uncovered a new campaign that leverages tax-themed spam emails to spread the WarzoneRAT (Avemaria) malware, a Remote Administration Tool (RAT) known for its remote control capabilities and ability to execute malicious actions under the command of a remote server.

Infection Tactics: The LNK and HTA Files

The infection begins when unsuspecting users open an email with the subject “taxorganizer2023” and execute an attached archive file.

Document

Download Free CISO’s Guide to Avoiding the Next Breach

Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.

  • Understand the importance of a zero trust strategy
  • Complete Network security Checklist
  • See why relying on a legacy VPN is no longer a viable security strategy
  • Get suggestions on how to present the move to a cloud-based network security solution
  • Explore the advantages of converged network security over legacy approaches
  • Discover the tools and technologies that maximize network security

Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.

This file contains a deceptive shortcut file, “taxorganizer2023.png.lnk,” which appears to be an image but is, in fact, a malicious LNK file.

When executed, it triggers a PowerShell command to download and extract a ZIP file, leading to the execution of an HTA file.

This HTA file retrieves a PowerShell script in memory, which downloads a VBScript file from a remote server, ultimately deploying the WarzoneRAT malware.

Overall infection chain
Overall infection chain

Another infection method involves a ZIP archive named “MY TAX ORGANIZER.zip,” which contains a legitimate EXE file, a malicious DLL, and a PDF file.

Running the EXE file triggers the DLL sideloading technique, loading the malicious DLL identified as WarzoneRAT.![DLL Sideloading Method](Figure 17 – DLL sideloading method)

DLL sideloading method
DLL sideloading method

Technical Analysis: Unpacking the Malware

The technical analysis of the campaign reveals a complex infection chain.

The LNK file downloads a PNG file, which is a ZIP file, and extracts its contents.

The subsequent execution of the HTA file leads to a series of scripts that perform various actions, including generating random equations for stealth, checking for antivirus processes, and creating directories and files for persistence.

Content of HTA file before & after removing Junk codes
Content of HTA file before & after removing Junk codes

Final Payload: The Dangers of WarzoneRAT

The final payload, WarzoneRAT (Avemaria), is a highly capable RAT that allows remote access and control over the victim’s computer.

It can exfiltrate data, escalate privileges, manipulate the desktop remotely, harvest credentials, and perform keylogging, among other intrusive activities.

Hardcoded strings of Avemaria
Hardcoded strings of Avemaria

The recent campaign highlights the persistent threat posed by cybercriminals who exploit the trust of users with themed spam emails.

The sophisticated techniques used in this campaign, such as reflective loading and DLL sideloading, underscore the importance of vigilance and robust cybersecurity measures.

As the WarzoneRAT malware continues to evolve and resurface, it is a stark reminder of the ongoing battle between cybercriminals and cybersecurity defenders.

Users are urged to exercise caution when opening email attachments, even those that appear to be related to timely and relevant topics like tax organization.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...