{"id":90116,"date":"2021-07-01T19:30:31","date_gmt":"2021-07-01T14:00:31","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=90116"},"modified":"2023-08-08T18:16:15","modified_gmt":"2023-08-08T12:46:15","slug":"warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents\/","title":{"rendered":"WARZONE RAT \u2013 Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents"},"content":{"rendered":"<p>Warzone RAT is part of an APT campaign named \u201cConfucius.\u201d Confucius APT is known to target government sectors of China and a few other South Asian countries. This APT campaign was quite active around January 2021. Warzone RAT first emerged in 2018 as malware-as-a-service (MaaS) and is known for its aggressive use of \u201c.docx\u201d files as its initial infection vector. The initial payload is known as \u201cAve Maria Stealer,\u201d which can steal credentials and log keystrokes on the victim\u2019s machine. The advanced version of this malware is currently sold in the underground market for $22.95 per month and <span class=\"TextRun BCX0 SCXW41783140\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun BCX0 SCXW41783140\">$49.95<\/span><\/span> for three months. The Warzone creators have an official website where it&#8217;s up for sale.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-90117 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture1-1-300x98.png\" alt=\"\" width=\"572\" height=\"187\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture1-1-300x98.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture1-1.png 521w\" sizes=\"(max-width: 572px) 100vw, 572px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 1: Warzone website showing selling price<\/em><\/p>\n<p style=\"text-align: left;\">These are the various features of the RAT mentioned on the website:<\/p>\n<ul>\n<li>Remote Desktop &amp; Webcam<\/li>\n<li>Privilege Escalation &#8211; UAC Bypass<\/li>\n<li>Password Recovery<\/li>\n<li>Download &amp; Execute.<\/li>\n<li>Live Keylogger<\/li>\n<li>Remote Shell<\/li>\n<li>Persistence<\/li>\n<li>Windows Defender Bypass<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>We came across a cracked version of Warzone RAT on GitHub. Here is the screenshot of that repository:<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-90118 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture2-2-300x97.png\" alt=\"\" width=\"599\" height=\"194\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture2-2-300x97.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture2-2-650x209.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture2-2-768x248.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture2-2.png 785w\" sizes=\"(max-width: 599px) 100vw, 599px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 2: A cracked version of warzone on GitHub<\/em><\/p>\n<p>Based on our research, we confirmed that the threat actor is trying to circumvent attacks with a decoy and manipulate users, delivering the next stage payload via template injection technique. In this blog, we are going to talk about &#8220;.docx&#8221; used as an initial attack vector and how it&#8217;s delivering its final payload -Warzone RAT.<\/p>\n<h3><strong>Technical Analysis:<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90119 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture3-1-300x155.png\" alt=\"\" width=\"553\" height=\"286\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture3-1-300x155.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture3-1.png 525w\" sizes=\"(max-width: 553px) 100vw, 553px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 3: Attack Chain<\/em><\/p>\n<p>The various phases of the attack are:<\/p>\n<ul>\n<li>The victim opens the word document.<\/li>\n<li>This document further downloads an <a href=\"https:\/\/blogs.quickheal.com\/malspam-campaigns-exploiting-recent-ms-office-vulnerability-cve-2017-11882\/\">RTF exploit<\/a> (CVE-2017-11882).<\/li>\n<li>Exploit in RTF is triggered and muka.dll is dropped and executed.<\/li>\n<li>Muka.dll downloads Warzone RAT.<\/li>\n<\/ul>\n<h5><\/h5>\n<p>&nbsp;<\/p>\n<p><strong>Phase 1:<\/strong><\/p>\n<p>Here the infection chain starts with a &#8220;.docx&#8221; file. We can see below the decoy document (Hash: <em>59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c<\/em>). This decoy document was crafted by attackers to induce the victims.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90149 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/07\/Picture-10-300x241.png\" alt=\"\" width=\"580\" height=\"466\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/07\/Picture-10-300x241.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/07\/Picture-10.png 477w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-90120 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture4-1-300x195.png\" alt=\"\" width=\"585\" height=\"380\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture4-1-300x195.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture4-1.png 565w\" sizes=\"(max-width: 585px) 100vw, 585px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 4: Screenshot from the \u201cSuparco Vacancy Notification.docx\u201d<\/em><\/p>\n<p>While executing, it uses the template injection technique to download the next stage RTF exploit. This exploit delivers a dll embedded final payload that connects to the domain to connect to the CNC to download payload Warzone Rat. We can see from the below image.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90121 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture5-1-300x106.png\" alt=\"\" width=\"572\" height=\"202\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture5-1-300x106.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture5-1-650x229.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture5-1-768x270.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture5-1-789x278.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture5-1.png 926w\" sizes=\"(max-width: 572px) 100vw, 572px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 5: Using Template Injection Technique<\/em><\/p>\n<p>The RTF exploit is downloaded through \u201c\\word\\_rels\\settings.xml.rels\u201d file present in document structure using template injection technique as shown below.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90122 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture6-1-300x48.png\" alt=\"\" width=\"563\" height=\"90\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture6-1-300x48.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture6-1-650x105.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture6-1-768x124.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture6-1-789x127.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture6-1.png 972w\" sizes=\"(max-width: 563px) 100vw, 563px\" \/><em>Figure 6: settings.xml.rels containing a link to the template<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Phase 2:<\/strong><\/p>\n<p>The downloaded RTF file (Hash: <em>686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424<\/em>) contains code that exploits an old vulnerability \u201cCVE-2017-11882\u201d. The flaw resides within equation editor (EQNEDT32.exe), a component in Microsoft office that inserts or edits object linking and embedding (OLE) Objects. We found that muka.dll is embedded in an OLE object.<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90123 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture7-1-300x91.png\" alt=\"\" width=\"573\" height=\"174\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture7-1-300x91.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture7-1-650x197.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture7-1-768x233.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture7-1-789x240.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture7-1.png 1024w\" sizes=\"(max-width: 573px) 100vw, 573px\" \/><em>Figure 7: muka.dll embedded in an ole object<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Phase 3:<\/strong><\/p>\n<p>The embedded muka.dll file (Hash: <em>1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126<\/em>) contains export function zenu and this dll is used to provide functionalities to other programs. Here is an image showing this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90124 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture8-300x118.png\" alt=\"\" width=\"577\" height=\"227\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture8-300x118.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture8-650x256.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture8-768x302.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture8-789x311.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture8.png 955w\" sizes=\"(max-width: 577px) 100vw, 577px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 8: Export directory containing export function zenu<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Phase 4:<\/strong><\/p>\n<p>Upon successful exploitation, the dll connects to a malicious domain (<em>wordupdate.com<\/em>) which is active nowadays also and downloads the final warzone payload.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-90125 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture9-300x74.png\" alt=\"\" width=\"596\" height=\"147\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture9-300x74.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture9-650x160.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture9-768x189.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture9-789x195.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Picture9.png 997w\" sizes=\"(max-width: 596px) 100vw, 596px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 9: Requesting access to the malicious domain<\/em><\/p>\n<p>The Warzone payload is saved as update.exe (Hash: <em>7dd1dba508f4b74d50a22f41f0efe3ff4bc30339e9eef45d390d32de2aa2ca2b<\/em>).<\/p>\n<h4><\/h4>\n<h4><strong>Conclusion:<\/strong><\/h4>\n<p>Warzone RAT exploits a pretty old but popular vulnerability, \u201cCVE-2017-11882,\u201d in Microsoft\u2019s equation editor component. This RAT works as an Info stealer <a href=\"https:\/\/www.seqrite.com\/blog\/anyone-even-you-can-carry-out-cyberattacks-with-the-malware-as-a-service-model\/\">malware<\/a>. Attackers typically spread such malware through document files as email attachments. We recommend our customers not to access suspicious emails\/attachments and keep their AV software up-to-date to protect their systems from such complex malware. We detect the initial infection vector as well as the final Warzone RAT as XML.Downloader.39387 and Trojan.GenericRI.S16988580 respectively.<\/p>\n<h4><\/h4>\n<h4><strong>IOCs:<\/strong><\/h4>\n<ul>\n<li>DOCX:<em>59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c<\/em><\/li>\n<li>RTF:<em>686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424<\/em><\/li>\n<li>DLL:<em>1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126<\/em><\/li>\n<li>EXE:<em>7dd1dba508f4b74d50a22f41f0efe3ff4bc30339e9eef45d390d32de2aa2ca2b<\/em><\/li>\n<\/ul>\n<h4><strong>Domains:<\/strong><\/h4>\n<ul>\n<li><em>recent.wordupdate.com<\/em><\/li>\n<li><em>wordupdate.com<\/em><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Warzone RAT is part of an APT campaign named \u201cConfucius.\u201d Confucius APT is known to target government sectors of China and a few other South Asian countries. This APT campaign was quite active around January 2021. Warzone RAT first emerged in 2018 as malware-as-a-service (MaaS) and is known for its aggressive use of \u201c.docx\u201d files [&hellip;]<\/p>\n","protected":false},"author":91,"featured_media":90158,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1739,24],"tags":[1844,1843,431,1821,49,40],"class_list":["post-90116","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-malware","tag-warzonemalware","tag-warzonerat","tag-android","tag-androidmalware","tag-malware","tag-trojan"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90116"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/91"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=90116"}],"version-history":[{"count":27,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90116\/revisions"}],"predecessor-version":[{"id":91457,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90116\/revisions\/91457"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/90158"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=90116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=90116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=90116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}