Warzone RAT (AKA Ave Maria)

What Is Warzone RAT?

Warzone RAT (AKA Ave Maria) is a remote access trojan (RAT) sold as a malware-as-a-service (MaaS) first discovered in January 2019 and quickly gained popularity to become a top malware strain by 2020. Warzone’s payload includes a wide array of functionality, but its primary use is as an information stealer. It has advanced stealth and anti-analysis capabilities and has been deployed using a broad set of dropper techniques.

Warzone masquerades as a legitimate commercial IT administration tool sold and maintained by an online persona named Solmyr. Its official website is where basic plans are sold for $37.95 per month—far cheaper than other apex MaaS strains. Warzone is available as 1-month, 3-month, and 12-month licenses with optional Dynamic Domain Name System (DDNS) service and has a “Poison” version that includes a rootkit installation module. DDNS is used in cyberattacks to hide the location of command-and-control (C2) servers used by malware operators. Cracked versions of Warzone can also be found on darknet forums, and the strain has instructional YouTube videos for learning basic deployment and command-and-control (C2) administration.

Some of Warzone’s most impactful campaigns have included geopolitical targets such as compromising government employees and military personnel of India’s National Informatics Centre (NIC) and its use by the Confucius APT group against the mainland Chinese government and other South Asian countries. Warzone was also used in a well-crafted phishing campaign that spoofed official government communication to distribute the malware in Hungary.

Warzone RAT Capabilities

Here is a summary of Warzone’s capabilities as marketed on its website.

  • VNC remote desktop access, remote shell, and remote file management
  • Stealth-enabled remote desktop via RDPWrap and hidden virtual network computing (hVNC)
  • System processes monitoring
  • Privilege escalation exploits via UAC bypass
  • Recording an infected system’s webcam
  • Stealing credentials from popular browsers and email clients, including Chrome, Firefox, IE, Edge, Outlook, Thunderbird, Foxmail
  • Importing and executing additional malware payloads
  • Real-time keylogging
  • Windows Defender bypass

Warzone has been distributed in a virtually endless number of initial infection vectors but is officially sold in two distinct first-stage configurations; as an embedded Microsoft Office macro dropper or packed as a compressed and encrypted dropper payload designed to bypass anti-virus detection. However, outside of its official modes, Warzone is deployed via both malspam and targeted phishing campaigns that leverage:

  • Hacked WordPress websites and popular file hosting services such as archive.org and discord.com to host the payload
  • Self-extracting archives (SFX) formatted as .rar and .zip files, and .iso with fake file icons designed to look like popular software applications
  • Microsoft Office macros using a VBA-stomping technique that compiles the embedded macro script into P-code to avoid detection by antivirus products
  • A .net loader written in C# that uses RunPE.dll to hijack, hollow, and inject Warzone into the InstallUtil.exe process
  • Using the Windows scripting language AutoIt to deliver the Warzone payload
  • Known vulnerabilities such as CVE-2017-11882 and CVE-2018-0802

Warzone gains persistence on the target host by creating a Windows registry key—usually named HKLM\SOFTWARE Wow6432Node\Microsoft Windows\CurrentVersion\Run—and setting its value to the location of Warzone’s executable binary. Finally, Warzone can exploit privilege escalation using an older DLL hijacking technique for UAC bypass.

Signs of a Warzone RAT Attacks

Threat researchers have published YARA and Sigma rules to identify droppers used in Warzone attacks. Still, the most reliable indicators of compromise (IOCs) associated with Warzone relate to how the malware establishes its connections with C2 endpoints and creates distinct registry keys for persistence.

How to Prevent Warzone RAT

At a minimum, defending against a Warzone attack requires running antivirus software and keeping it updated to identify known versions of Warzone malware as it ingresses a network. However, it’s also important to use awareness training to educate staff on identifying suspicious malspam and phishing attacks and implement standard procedures for handling suspected incidents.

Blackberry® Cylance®, which offers a predictive advantage over zero-day threats, is effective against malware like DCRat. Blackberry Cylance trains artificial intelligence (AI) agents for threat detection using millions of both safe and unsafe files.

Blackberry Cylance prevents malware variants from executing based on the detection of several malicious file attributes, not a specific file signature. This approach allows our customers to implement a prevention-first security posture effective against unknown, emerging, and polymorphic threats as well as traditional threats.