Threat Research

Fake Hungarian Government Email Drops Warzone RAT

By Gergely Revay | October 26, 2022

FortiGuard Labs recently discovered an email pretending to come from the Hungarian government. It informs the user that their new credentials to a governmental portal are attached. The attachment, however, is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it. A few days after our initial discovery, the Hungarian National Cyber Security Center issued a warning about this attack. This post provides a detailed analysis.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Provides remote access to the attacker
Severity level: High

Infection Vector

The initial infection occurs via a phishing email (Figure 1) impersonating a Hungarian government portal. This portal is used to conduct official business online, such as submitting documents, ordering IDs, etc. 

Figure 1 - Malicious email containing Warzone RAT malware as an attachment

The email tells the victim that their credentials have changed and that new ones are attached. The complete translation is:


Subject: idp.gov.hu: Your new login data

Dear registered user,

We are starting the maintenance and update of the website. Your new login data is attached. Download and save this password because it will be needed after the maintenance of the portal.

Best regards,


The language suggests it was written by a native speaker, however the email did not use the expected grammar of an official communication.

The attachment is a zip file that contains an executable that pretends to be a PDF. As shown in Figure 2, the file contains an icon that mimics the Adobe PDF Reader icon. The filename ends with pdf, but it has the .exe extension. However, on a default Windows installation where file extensions are hidden, it would look like an actual PDF file. The only warning the user would have is that File Explorer shows the file Type as an ‘Application’’, which means it is an executable and not a document. But this might not be obvious to the average user.

Figure 2 - Executable pretending to be a PDF

The Matryoshka Doll of Obfuscation

As we start to analyze the ‘Uj bejelentkezEsi adatai·pdf.exe', we quickly realize it is like a Matryoshka doll, but instead of always getting a smaller doll every time one is opened, we get more and more obfuscated .NET binaries. This is what we will look at in this section.

The ‘Uj bejelentkezEsi adatai·pdf.exe’ is a 32bit .NET executable. Once decompiled in dnspy (a well-known .NET decompiler), we find simple—and, at the same time, confusing—source code. The general structure of the code is shown in Figure 3. The original binary was probably called iANO before being renamed ‘Uj bejelentkezEsi adatai·pdf.exe

Figure 3 - Program structure of ‘Uj bejelentkezEsi adatai·pdf.exe’

The code shows a confusing mixture of the BattleShipLiteLibrary, which seems to be an implementation of the tabletop game Battleship, and a calculator. Figure 4 shows that there is actual code that implements the calculator.

Figure 4 - Implementation of the calculator

Sometimes it looks like a duck calc and acts like a duck calc, but it is still not a duck calc. In this case, the InitializeComponent() function that seemingly sets up the user interface for the calculator also calls the PerformLayout()function at the end. That function then continues to call the ResourceTemplateDefine()function (Figure 5).

Figure 5 - Loading code from the resources

The ResourceTemplateDefine()function loads the resource called ‘Web’. At first, it seems to interpret it as a Bitmap, but in the end, it converts it to an Assembly. If we look at this resource in the hex editor (Figure 6), we see that it has a Bitmap header. But when we look a little further, it also includes the MZ characters, which are the magic value of Portable Executables (PE) files. At the bottom, we even see the infamous ‘This program cannot be run in DOS mode’ string, another sign of a PE file.

Figure 6 - Inspecting the 'Web' resource reveals that it hides a PE file

This PE file is loaded from the resources. Figure 7 shows that its methods are loaded using GetMethod(), and one of them is invoked. Figure 8 shows in a debugger that the invoked method is sk41Ua2AFu5PANMKit.abiJPmfBfTL6iLfmaW.Y5tFvU8EY()’.

Figure 7 - A specific method is loaded and invoked from the PE file
Figure 8 - Debugger showing the name of the method being invoked

KeyNormalize.dll

The original name of the PE file in the ‘Web’ resource is KeyNormalize.dll. From the name of the invoked function, we can already expect that it is obfuscated. As it is another .NET executable, we can open it in dnspy and Detect It Easy (Figure 9) and confirm that it is obfuscated using SmartAssembly.

Figure 9 - SmartAssembly obfuscator is used

De4Dot, a deobfuscator tool, is mildly successful against the obfuscation of the binary. However, it is not able to resolve the obfuscated strings. For that, we wrote a custom program that can resolve the string, but that is a story for another blog post.

After statically analyzing the KeyNormalize.dll, we see that it loads another binary from the resources and performs a function invocation, as seen previously (Figure 10).

Figure 10 - Loading an Assembly from the resources and invoking one of its functions

We can recover the binary and which function is invoked using a debugger again. Figure 11 shows the base64 encoded data in the variable 'text6, and after decoding it (Figure 12), we see that it is another PE file. This PE file, which is again a .NET executable, was originally called Metall.dll.

Figure 11 - Base64 encoded data in the variable ‘text6’
Figure 12 - The data in ‘text6’ is another PE file

In the debugger, we can also see that the ‘OwbdG5aNVQQYu6X20i.o9pVsMvoTr75y5TrkE.V4j9c6YCwC()’ function is invoked in this newly recovered PE file.

Metall.dll

After starting to analyze this binary, my first reaction can be seen in Figure 13.

Figure 13 - Metall.dll adds another layer of obfuscation to the game

Needless to say, Metall.dll increased the level of obfuscation by adding features such as control-flow flattening to the binary. Whenever we talk about obfuscators, we say their goal is to slow down reverse engineering. This works to some extent. However, in this case, we could simply take a shortcut and let the binary run and load its final payload to memory by itself. From there, we could dump it into a file to analyze it further.

Warzone RAT

The final payload loaded into memory by the Metall.dll is a version of the Warzone Remote Access Trojan (RAT). This is a well-known malware operating as a Malware-as-a-Service (MaaS). It is publicly available on the Internet, and anybody can access it through a subscription model. The current pricing is shown in Figure 14.

Figure 14 - Current pricing of Warzone RAT

It offers the following functionality to its subscribers:

  • Native, independent stub
  • Cookies Recovery
  • Remote Desktop
  • Hidden Remote Desktop - HRDP
  • Privilege Escalation - UAC Bypass
  • Remote WebCam
  • Password Recovery
  • File Manager
  • Download & Execute
  • Live Keylogger
  • Offline Keylogger
  • Remote Shell
  • Process Manager
  • Reverse Proxy
  • Automatic Tasks
  • Mass Execute
  • Smart Updater
  • HRDP WAN Direct Connection
  • Persistence
  • Windows Defender Bypass

Warzone RAT is also often referred to as ‘Ave_Maria Stealer’ because the string shown in Figure 15 appears in the binary.

Figure 15 - The Ave_Maria Stealer name comes from this misleading string in the binary

The embedded link to GitHub provides nothing useful. It is probably just another way to mislead the reverse engineers.

Warzone provides multiple ways to escalate privileges depending on the Windows version. One is implemented in the same binary, and another is added to the binary as a resource called WM_DSP (Figure 16). This will be loaded and executed in runtime if needed.

Figure 16 - One privilege escalation exploit can be found as a resource

To evade antivirus software, Warzone tries to add itself to the exclusion list of Windows Defender, as shown in Figure 17.

Figure 17 - Warzone adds itself to the antivirus exclusion list

To establish persistence, it also copies itself to the following path:

C:\Users\Admin\Documents\Adobe5151.exe

Warzone also uses encrypted communication with its C2 server. In the past, the password/key for the encryption was the string warzone160\x00. In this sample, it has been changed to the string ‘nevergonnagiveyouup’ (Figure 18). So, the victim is being rickrolled without even knowing it.

Figure 18 - Using a new password for the encryption

Dynamic analysis shows that the C2 server’s address is 171.22.30.72:5151. Looking up this IP and port number in our internal systems shows the diagram in Figure 19. What we can see from this chart is that the campaign where this particular attack was involved started as early as June 20, 2022.

Figure 19 - Intelligence on visits to the address 171.22.30.72:5151

Conclusions

The attacker used a well-written fake government email as a lure to execute the attached malware. The lure is well thought out because it is relevant to everyone in Hungary who uses the online administration portal. This and the accuracy of the language used in the email may indicate that local actors are involved.

The Matryoshka doll of embedded .NET binaries, with increasingly complex obfuscation, supports a trend of attackers increasingly relying on modern obfuscation techniques. This will result in reverse engineers having to invest more time to deobfuscate and analyze malware.

Using the Warzone RAT as the final payload also supports cyber criminals' growing reliance on MaaS services. We see a similar trend in ransomware samples, with Ransomware-as-a-Service providers growing in popularity. We discuss this trend in the latest FortiGuard Labs Threat Landscape Report.

Fortinet Protections

The Fortinet Antivirus engine already covers all discussed binaries using the following signatures:

MSIL/Kryptik.AGIJ!tr – Uj bejelentkezEsi adatai·pdf.exe
W32/PossibleThreat – KeyNormalize.dll
MSIL/Agent.UDJ!tr – Metall.dll
W32/Agent.TJS!tr – Warzone payload
W32/AntiAV.NIZ!tr – Privilege Escalation payload WM_DSP

The FortiGuard Web Filtering service rated the C2 server as ‘Malicious’ and blocks it accordingly.

FortiMail and FortiSandbox can detect and quarantine the malicious attachments in this campaign, and Fortinet’s CDR (Content Disarm and Reconstruction) service can disable them.

FortiEDR detects the malicious executable attachment and its WarZone RAT payload as malicious based on their behavior.

In addition to these protections, Fortinet can help train users to detect and understand phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE training program—NSE 1 – Information Security Awareness—includes a module on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.

IOCs

 Filename

 sha256 hash

Uj bejelentkezEsi adatai·pdf.exe

21d09c77de01cc95209727752e866221ad3b66d5233ab52cfe5249a3867ef8d8

KeyNormalize.dll

8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63

Metall.dll

66319bf905acac541df26fecc90843a9a60fdbc1a8a03e33f024088f586cb941

<Warzone sample>

27743b5b7966384cc8ef9cfef5c7a11c8b176123b84c50192926c08ab7e6d7d7

 Network address

 Type

171[.]22[.]30[.]72:5151

C2 Server

ATT&CK Framework TTPs

A detailed Warzone RAT TTP collection can be found at https://attack.mitre.org/software/S0670/.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.