Threat Research

WarzoneRAT Returns With Multi-Stage Attack Post FBI Seizure – Cyble

Cyble

Cyble CRIL observed a tax-themed spam campaign delivering multi-stage malware that ultimately deploys WarzoneRAT (aka Avemaria) via reflective .NET loading or DLL sideloading. The chain uses LNK → HTA → VBScript → PowerShell (or a legitimate EXE + malicious DLL) to achieve persistence, disable defenses, and contact C2. #WarzoneRAT #Avemaria

Keypoints

  • Campaign delivered via tax-themed spam attachments that contained either a disguised LNK shortcut (taxorganizer2023.png.lnk) or a ZIP with a legitimate EXE and malicious DLL (MY TAX ORGANIZER.zip).
  • LNK path: LNK downloads a ZIP (saved as taxorganizer2023.zip), extracts taxorganizer2023.hta, which deobfuscates and runs a PowerShell script that fetches Memory.vbs and then BTYSA.ps1 to deploy payloads.
  • PowerShell deploys a .NET injector and WarzoneRAT byte arrays, uses reflective assembly loading to inject the RAT into RegSvcs.exe and hides injection APIs via obfuscation.
  • Alternate path: legitimate EXE loads malicious g2m.dll via DLL sideloading; DLL is copied to %appdata% as VIVA_01.dll and a Run registry entry ensures persistence.
  • Post-compromise actions include AMSI patching, disabling/modifying Windows Defender and related services, creating startup persistence (startup folder and Run key), creating a new user, and C2 communication to l34d3r[.]duckdns[.]org:4047.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – used as initial delivery via tax-themed spam attachments (‘tax-themed, possibly propagated through spam emails’).
  • [T1036] Masquerading – attackers disguised LNK as an image and ZIP as PNG to trick users (‘shortcut file disguised as a PNG file named “taxorganizer2023.png.lnk”’).
  • [T1218.005] Mshta – HTA is executed to run embedded VBScript and proxy execution (‘runs the VBScript code embedded within it’).
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – VBScript deobfuscates and retrieves PowerShell (‘This VBScript code deobfuscates and retrieves a PowerShell script’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell downloads further scripts, deobfuscates payloads, and performs injection (‘the PowerShell script is employed to deploy the final payload and execute process injection’).
  • [T1105] Ingress Tool Transfer – files are retrieved from remote web servers (e.g., Memory.vbs, BTYSA.ps1) (‘downloads a VBScript file from a remote server’).
  • [T1047] Windows Management Instrumentation – scripts query processes to detect AV-related processes via WMI (‘Select * from Win32_Process’).
  • [T1564.001] Hidden Files and Directories – dropped files and scripts are hidden in %appdata% and named to evade detection (‘both files are in hidden mode’).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – persistence via startup folder shortcuts and Run registry entry (‘creates two files … within the Windows startup folder’ and adds Run key for VIVA_01.dll).
  • [T1055] Process Injection – reflective .NET loader injects WarzoneRAT into RegSvcs.exe using Execute/Invoke methods (‘injects the main malware payload into the “RegSvcs.exe” process’).
  • [T1027] Obfuscated Files or Information – multiple scripts and embedded content are obfuscated and de-obfuscated at runtime (‘it uses obfuscated scripts to avoid detections’).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – uses taskkill and modifies Defender settings to disable protections (‘taskkill to terminate processes’ and scripts adjust Windows Defender exclusions/settings’).
  • [T1071] Application Layer Protocol – malware communicates with C2 over application-layer protocols to l34d3r[.]duckdns[.]org:4047 (‘Malware exe communicate to C&C server’).

Indicators of Compromise

  • [URL] Download/drop sources – hxxp://1287123hjdfsdyu8923748394234234234[.]duckdns[.]org/hvrm/taxorganizer2023.png (ZIP download), hxxp://1287123hjdfsdyu8923748394234234234[.]duckdns[.]org/hvrm/Memory.vbs (VBScript).
  • [Domain:Port] C2 – l34d3r[.]duckdns[.]org:4047 (command-and-control server contact).
  • [File name] Malicious and dropped files – taxorganizer2023.png.lnk (initial shortcut), taxorganizer2023.hta (HTA), Memory.vbs (VBScript), BTYSA.ps1 (PowerShell payload), G2M.dll / VIVA_01.dll (RAT DLLs).
  • [File hashes] Sample payload hashes – WarzoneRAT (SHA256) dd94249831862f21373a8f17bed2e8bf… (and other hashes listed), BTYSA.ps1 (SHA256) b57ee4991cd5316fe47a382db879dc0ae784c2f974f395939987ae174c1a48a7.
  • [Archive] Malicious archive – MY TAX ORGANIZER.zip containing INVOICE_LA_PDF.LNK.exe, Tier1.pdof, g2m.dll (and associated hashes).

When focusing strictly on the technical procedure, the campaign presents two primary infection chains. The first chain begins with a user-executed LNK (taxorganizer2023.png.lnk) which downloads a file saved as taxorganizer2023.zip, extracts taxorganizer2023.hta, and launches it via mshta. The HTA contains obfuscated VBScript that deobfuscates and runs a PowerShell script; that PowerShell fetches Memory.vbs, which performs environment checks (AV process enumeration and username checks), creates a hidden %appdata%WindowsServices folder, drops BTYSA.ps1 and a VROLX.cmd to execute it, and adds startup VBScript/shortcut artifacts for persistence.

BTYSA.ps1 deobfuscates two embedded byte arrays: one is a .NET injector and the other is the WarzoneRAT (Avemaria) payload. The script copies RegSvcs.exe to %temp% and uses reflective assembly loading to dynamically load the .NET injector in memory, then invokes its Execute/Invoke methods to inject the WarzoneRAT payload into the RegSvcs.exe process. During and after deployment the scripts perform AMSI bypass (patching AmsiScanBuffer), disable or modify Windows Defender settings and related services, add Defender exclusions, alter registry/UAC preferences, create a new user account, and stop/kill security processes to hinder detection.

The second chain uses DLL sideloading: a ZIP (MY TAX ORGANIZER.zip) contains a legitimate EXE (INVOICE_LA_PDF.LNK.exe) and a malicious DLL (g2m.dll). Execution of the EXE loads g2m.dll into process memory (DLL sideloading), the malware copies the DLL to %appdata% as VIVA_01.dll and creates a Run registry entry (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun) pointing to rundll32.exe C:UsersAppDataRoamingVIVA_01.dll to maintain persistence, and establishes C2 communication to l34d3r[.]duckdns[.]org:4047. These techniques (masquerading, obfuscation, script-based loaders, reflective .NET injection, DLL sideloading, and defensive suppression) are the core technical behaviors observed.

Read more: https://cyble.com/blog/warzonerat-returns-with-multi-stage-attack-post-fbi-seizure/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint