WarzoneRAT Resurfaces with Tax-Theme Lure

A resurgence of WarzoneRAT (Avemaria), a malware that has returned to the cybercrime scene following the FBI's crackdown on its operations as announced in February 2024. Cyble Research & Intelligence Labs (CRIL) reveals the attackers have been deploying this Remote Access Trojan (RAT) through tax-themed spam emails. The technical analysis by CRIL examines the malware's attack chain, initiating with a deceptive LNK file masquerading as a PNG image. This file sets off a series of downloads and executions of malicious scripts, designed to evade detection and manipulate system configurations, culminating in the deployment of the WarzoneRAT.

The infection process begins with an innocuous email attachment that initiates a multi-stage attack chain once executed. An LNK file, under the guise of an image, uses a PowerShell command to retrieve an HTA file, which then downloads and runs a VBScript. This script, in turn, fetches another PowerShell script that facilitates the injection of the WarzoneRAT payload into the system via the RegSvcs.exe process using reflective loading. The PowerShell and VBScript scripts execution involves terminating processes related to security monitoring, establishing persistence in the startup folder, disabling script-block logging through registry modifications, circumventing UAC, manipulating Windows Defender settings, and creating a new user account to solidify the malware's foothold within the system. Another attack vector utilizes a ZIP file containing an executable and a malicious DLL, employing DLL sideloading to insert the RAT stealthily. These calculated tactics ensure the deployment of the RAT to enable control over the compromised system and allow for data exfiltration.

Despite concerted efforts by law enforcement to neutralize the Warzone RAT infrastructure, the malware continues to pose a threat. Its continued presence on darknet forums and availability in cracked forms reflect the enduring resilience of cyber criminals. Although law enforcement actions have also disrupted major cybercrime operations like ALPHV, Hive, QakBot, LockBit, Ragnarlocker,, and others, cybercriminals demonstrate capabilities to persist in following these efforts circumventing law enforcement actions, adapting their tactics, and ensuring their malicious tools remain accessible.