Warzone MaaS Remote Access Trojan

Warzone is a C++ based remote access trojan (RAT) offered through a number of dark web sites and hacking forums. First publicly advertised in 2018; it offers a comprehensive malware-as-a-service (MaaS) package, including licensing agreements and customer support, to allow non-technical users to perform sophisticated attacks.

Threat ID:: CC-3361
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 6 February 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

As with most MaaS tools, Warzone can be delivered in any manner chosen by its users. However, at the time of publication, it has only been observed being distributed via AVE_MARIA trojan, before creating a number of registry keys to maintain persistence. It then attempts to connect to a user-specified command and control server via Warzone's own dynamic DNS service over TCP port 5000. By default, Warzone has the following capabilities:

Remote desktop creation (via VNC or RDPWrap)
Keylogging
Audio and video capture
Credential harvesting
File creation, execution, installation, and transfer
Reverse proxy creation

Remediation steps

Type	Step
	To prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Indicators of compromise

Main indicators

Warzone IoC List 06/02/2020

Last edited: 10 January 2022 4:48 pm