This post explains how Fortinet researchers debugged a multi-stage .NET malware chain used for Warzone RAT by exporting and running each stage independently, then dumping the next stage for analysis. It covers building a wrapper app to run KeysNormalize.dll, reconstructing a required embedded resource, and using dnSpy to extract Metall.dll for inspection. #WarzoneRAT #KeysNormalize #Metall.dll #BattleshipLiteLibrary #Phishing
Keypoints
- The Warzone RAT campaign used a chain of increasingly obfuscated .NET binaries where each stage loads the next, decodes it, and transfers control to continue the chain.
- Researchers created standalone executables from each stage to enable efficient debugging of the multi-stage loader.
- Problem 1: Running KeysNormalize.dll independently required a wrapper program that imports the DLL and calls the exact function used by the original loader.
- Problem 2: To let KeysNormalize.dll function, researchers recreated the missing resource BattleshipLiteLibrary.Properties.Resources.resources by extracting it from the binary and adjusting project namespace/name accordingly.
- The process included loading KeysNormalize.dll into memory, dumping the next stage (Metal.dll), and identifying the entry function to continue analysis.
- Fortinet protections (antivirus, web filtering, email security, and EDR) are documented as detecting and mitigating these components of the campaign.
MITRE Techniques
- [T1566.001] Phishing β Spearphishing Attachment β The phishing email contained a zip file used to deliver the initial binary payload. βThe phishing email contained a zip file.β
- [T1027] Obfuscated/Compressed Files and Information β The final stages were obfuscated, including use of SmartAssembly for KeysNormalize.dll. βIt had been obfuscated with the obfuscation tool called SmartAssembly.β
- [T1055.001] Dynamic-link Library Injection β KeysNormalize.dll is loaded from memory and a function within it is invoked, effectively executing code from a loaded DLL. βloads 2), a .NET Dynamic-Link Library (DLL) that was unpacked to memory. It is run by invoking one of its functions (sk41Ua2AFu5PANMKit.abiJPmfBfTL6iLfmaW.Y5tFvU8EY())β
- [T1056.001] Input Capture β The base wrapper waits for a keystroke as a synchronization point before proceeding, enabling breakpoints during debugging. βThis code will wait indefinitely for a key press and then not do anything.β
Indicators of Compromise
- [Filename] β Initial drop payloads observed in the campaign β Uj bejelentkezEsi adataiΒ·pdf.exe, KeyNormalize.dll, Metall.dll, and 1 more (Warzone sample)
- [SHA-256] β 21d09c77de01cc95209727752e866221ad3b66d5233ab52cfe5249a3867ef8d8, 8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63, and 2 more hashes
- [Network Address] β 171[.]22[.]30[.]72:5151 β C2 Server