FortiGuard Labs recently discovered an email pretending to come from the Hungarian government. It informs the user that their new credentials to a governmental portal are attached. The attachment, however, is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it. A few days after our initial discovery, the Hungarian National Cyber Security Center issued a warning about this attack. This post provides a detailed analysis.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Provides remote access to the attacker
Severity level: High
The initial infection occurs via a phishing email (Figure 1) impersonating a Hungarian government portal. This portal is used to conduct official business online, such as submitting documents, ordering IDs, etc.
The email tells the victim that their credentials have changed and that new ones are attached. The complete translation is:
Subject: idp.gov.hu: Your new login data
Dear registered user,
We are starting the maintenance and update of the website. Your new login data is attached. Download and save this password because it will be needed after the maintenance of the portal.
The language suggests it was written by a native speaker, however the email did not use the expected grammar of an official communication.
The attachment is a zip file that contains an executable that pretends to be a PDF. As shown in Figure 2, the file contains an icon that mimics the Adobe PDF Reader icon. The filename ends with pdf, but it has the .exe extension. However, on a default Windows installation where file extensions are hidden, it would look like an actual PDF file. The only warning the user would have is that File Explorer shows the file Type as an ‘Application’’, which means it is an executable and not a document. But this might not be obvious to the average user.
As we start to analyze the ‘Uj bejelentkezEsi adatai·pdf.exe', we quickly realize it is like a Matryoshka doll, but instead of always getting a smaller doll every time one is opened, we get more and more obfuscated .NET binaries. This is what we will look at in this section.
The ‘Uj bejelentkezEsi adatai·pdf.exe’ is a 32bit .NET executable. Once decompiled in dnspy (a well-known .NET decompiler), we find simple—and, at the same time, confusing—source code. The general structure of the code is shown in Figure 3. The original binary was probably called iANO before being renamed ‘Uj bejelentkezEsi adatai·pdf.exe’.
The code shows a confusing mixture of the BattleShipLiteLibrary, which seems to be an implementation of the tabletop game Battleship, and a calculator. Figure 4 shows that there is actual code that implements the calculator.
Sometimes it looks like a
duck calc and acts like a duck calc, but it is still not a duck calc. In this case, the InitializeComponent() function that seemingly sets up the user interface for the calculator also calls the PerformLayout()function at the end. That function then continues to call the ResourceTemplateDefine()function (Figure 5).
The ResourceTemplateDefine()function loads the resource called ‘Web’. At first, it seems to interpret it as a Bitmap, but in the end, it converts it to an Assembly. If we look at this resource in the hex editor (Figure 6), we see that it has a Bitmap header. But when we look a little further, it also includes the MZ characters, which are the magic value of Portable Executables (PE) files. At the bottom, we even see the infamous ‘This program cannot be run in DOS mode’ string, another sign of a PE file.
This PE file is loaded from the resources. Figure 7 shows that its methods are loaded using GetMethod(), and one of them is invoked. Figure 8 shows in a debugger that the invoked method is ‘sk41Ua2AFu5PANMKit.abiJPmfBfTL6iLfmaW.Y5tFvU8EY()’.
The original name of the PE file in the ‘Web’ resource is KeyNormalize.dll. From the name of the invoked function, we can already expect that it is obfuscated. As it is another .NET executable, we can open it in dnspy and Detect It Easy (Figure 9) and confirm that it is obfuscated using SmartAssembly.
De4Dot, a deobfuscator tool, is mildly successful against the obfuscation of the binary. However, it is not able to resolve the obfuscated strings. For that, we wrote a custom program that can resolve the string, but that is a story for another blog post.
After statically analyzing the KeyNormalize.dll, we see that it loads another binary from the resources and performs a function invocation, as seen previously (Figure 10).
We can recover the binary and which function is invoked using a debugger again. Figure 11 shows the base64 encoded data in the variable 'text6’, and after decoding it (Figure 12), we see that it is another PE file. This PE file, which is again a .NET executable, was originally called Metall.dll.
In the debugger, we can also see that the ‘OwbdG5aNVQQYu6X20i.o9pVsMvoTr75y5TrkE.V4j9c6YCwC()’ function is invoked in this newly recovered PE file.
After starting to analyze this binary, my first reaction can be seen in Figure 13.
Needless to say, Metall.dll increased the level of obfuscation by adding features such as control-flow flattening to the binary. Whenever we talk about obfuscators, we say their goal is to slow down reverse engineering. This works to some extent. However, in this case, we could simply take a shortcut and let the binary run and load its final payload to memory by itself. From there, we could dump it into a file to analyze it further.
The final payload loaded into memory by the Metall.dll is a version of the Warzone Remote Access Trojan (RAT). This is a well-known malware operating as a Malware-as-a-Service (MaaS). It is publicly available on the Internet, and anybody can access it through a subscription model. The current pricing is shown in Figure 14.
It offers the following functionality to its subscribers:
Warzone RAT is also often referred to as ‘Ave_Maria Stealer’ because the string shown in Figure 15 appears in the binary.
The embedded link to GitHub provides nothing useful. It is probably just another way to mislead the reverse engineers.
Warzone provides multiple ways to escalate privileges depending on the Windows version. One is implemented in the same binary, and another is added to the binary as a resource called WM_DSP (Figure 16). This will be loaded and executed in runtime if needed.
To evade antivirus software, Warzone tries to add itself to the exclusion list of Windows Defender, as shown in Figure 17.
To establish persistence, it also copies itself to the following path:
Warzone also uses encrypted communication with its C2 server. In the past, the password/key for the encryption was the string ‘warzone160\x00’. In this sample, it has been changed to the string ‘nevergonnagiveyouup’ (Figure 18). So, the victim is being rickrolled without even knowing it.
Dynamic analysis shows that the C2 server’s address is 184.108.40.206:5151. Looking up this IP and port number in our internal systems shows the diagram in Figure 19. What we can see from this chart is that the campaign where this particular attack was involved started as early as June 20, 2022.
The attacker used a well-written fake government email as a lure to execute the attached malware. The lure is well thought out because it is relevant to everyone in Hungary who uses the online administration portal. This and the accuracy of the language used in the email may indicate that local actors are involved.
The Matryoshka doll of embedded .NET binaries, with increasingly complex obfuscation, supports a trend of attackers increasingly relying on modern obfuscation techniques. This will result in reverse engineers having to invest more time to deobfuscate and analyze malware.
Using the Warzone RAT as the final payload also supports cyber criminals' growing reliance on MaaS services. We see a similar trend in ransomware samples, with Ransomware-as-a-Service providers growing in popularity. We discuss this trend in the latest FortiGuard Labs Threat Landscape Report.
The Fortinet Antivirus engine already covers all discussed binaries using the following signatures:
MSIL/Kryptik.AGIJ!tr – Uj bejelentkezEsi adatai·pdf.exe
W32/PossibleThreat – KeyNormalize.dll
MSIL/Agent.UDJ!tr – Metall.dll
W32/Agent.TJS!tr – Warzone payload
W32/AntiAV.NIZ!tr – Privilege Escalation payload WM_DSP
The FortiGuard Web Filtering service rated the C2 server as ‘Malicious’ and blocks it accordingly.
FortiMail and FortiSandbox can detect and quarantine the malicious attachments in this campaign, and Fortinet’s CDR (Content Disarm and Reconstruction) service can disable them.
FortiEDR detects the malicious executable attachment and its WarZone RAT payload as malicious based on their behavior.
In addition to these protections, Fortinet can help train users to detect and understand phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training program—NSE 1 – Information Security Awareness—includes a module on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.
Uj bejelentkezEsi adatai·pdf.exe
A detailed Warzone RAT TTP collection can be found at https://attack.mitre.org/software/S0670/.