I. Execution Flow Summary:
Below is an illustrated and summarized way of how WarZone RAT sample infects the victim system via DBatLoader:
II. Technical Analysis
The attacker’s email sent to the user includes an attached .html file as follows:
Observing the file PO-2200934-KINQTE.html in Hex mode, it appears to contain scripts and a large blob of base64-encoded data.
The main task of the script as shown below:
By quick analyzing the content of the script, it will simulate downloading the file PO-2200934-KINQTE.rar rather than a file with the .exe extension. This can be verified by opening the .html file through popular browsers such as Edge or Chrome.
Decode the base64Data to obtain the RAR file. This RAR file contains an executable file named PO-2200934-KINQTE.exe.
File PO-2200934-KINQTE.exe (bdb74765f6e99f2af997bb1916e373390aafa21100f8638c4d4dc89553fbba35) is DBatLoader:
DBatLoader typically performs download obfuscated later stage payloads from public cloud services such as OneDrive or Google Drive. In the sample I’m analyzing, it will load the payload from OneDrive.
| 1 | hxxps://onedrive[.]live[.]com/download?resid=FDB0512DE793B32E%21180&authkey=!AHbZUypgd3P08kc |
At the time of analysis, the encrypted payload is still downloadable via the link above.
Decrypting the encrypted payload:
The decrypted payload (4c014a78f07a12a659b780d0da285a897a7ff56234796da909dc7a172e9282fc) is indeed the Warzone RAT, based on the following strings:
Reuse the script in the article I analyzed here, extracting the C2 information that the WarZone RAT payload will connect to.
III. References
IV. Indicators Of Compromise (IOCs)
| PO-2200934-KINQTE.html | 7b51aaf3071c6f0dad3865e0fa9cc19d2be45a46dbe507b9254ca6d7ba01d850 |
| DbatLoader (PO-2200934-KINQTE.exe) | bdb74765f6e99f2af997bb1916e373390aafa21100f8638c4d4dc89553fbba35 |
| WarZone RAT (encrypted) | hxxps://onedrive[.]live[.]com/download?resid=FDB0512DE793B32E%21180&authkey=!AHbZUypgd3P08kc |
| WarZone RAT | 4c014a78f07a12a659b780d0da285a897a7ff56234796da909dc7a172e9282fc |
| WarZone RAT (C2) | halal[.]home-webserver[.]de:3109 |
End.
m4n0w4r
MITRE Technique and Procedure
- Spearphishing Attachment (T1566.001): The attack begins with a spearphishing email containing a malicious HTML attachment designed to deceive the user into opening it.
- User Execution (T1204): The user is tricked into executing the malicious script by opening the HTML file.
- Scripting (T1059): Utilizes scripts embedded within the HTML file to facilitate execution of the payload.
- Obfuscated Files or Information (T1027): The use of base64 encoding to obscure the contents of the executable within the HTML file.
- Masquerading (T1036): The script simulates downloading a harmless RAR file, misleading users and security tools.
- Application Layer Protocol (T1071): The DBatLoader communicates with a C2 server using encrypted traffic over commonly used protocols.
- Data Obfuscation (T1001): Encrypted payloads downloaded from cloud services like OneDrive enhance concealment.
- Not explicitly covered in the summary but can be an implicit step where the RAT might scan the environment for analysis tools or additional targets within the network.
- Data from Local System (T1005): Typically, RATs such as WarZone may gather sensitive information from the host system.
- Exfiltration Over Command and Control Channel (T1041): The stolen data can be exfiltrated to the attacker’s server through the C2 channel already established by the malware.
Views: 0