Threat Research

Fake Hungarian Government Email Drops Warzone RAT | FortiGuard Labs

Securonix

FortiGuard Labs analyzed a phishing campaign that impersonates the Hungarian government to deliver the Warzone RAT through a disguised PDF-like executable. The campaign stacks multiple obfuscated .NET binaries in memory, uses MaaS-style malware, and employs evasive techniques such as Defender exclusions and UAC bypass to persist and control infected machines. #WarzoneRAT #Ave_Maria_Stealer #HungarianNationalCyberSecurityCenter #Fortinet

Keypoints

  • The attack is initiated via a phishing email impersonating a Hungarian government portal, instructing recipients that new credentials are attached.
  • The attachment is a zip containing an executable that masquerades as a PDF but drops Warzone RAT into memory.
  • The sample employs a “Matryoshka Doll of Obfuscation,” chaining increasingly obfuscated .NET binaries (including KeyNormalize.dll and Metall.dll) loaded from resources.
  • SmartAssembly is used to obfuscate binaries, with additional layering and dynamic loading of embedded assemblies.
  • The final Warzone RAT payload provides extensive capabilities under a MaaS model, including remote control, keylogging, and privilege escalation.

    • <liWarzone uses encryption for C2 communication, a hard-coded/pivoting key, and evasive techniques such as antivirus exclusion and persistence paths to sustain access.

MITRE Techniques

  • [T1566.001] Phishing – The initial infection occurs via a phishing email impersonating a Hungarian government portal. “The initial infection occurs via a phishing email (Figure 1) impersonating a Hungarian government portal.”
  • [T1027] Obfuscated/Compressed Files and Information – The malware uses layered obfuscation with multiple .NET binaries and SmartAssembly. “The Matryoshka doll of obfuscation … obfuscated .NET binaries.” “SmartAssembly obfuscator is used.”
  • [T1055.012] Dynamic Code Loading – The ResourceTemplateDefine() loads a resource called ‘Web’, converts it to an Assembly, and invokes a function. “The ResourceTemplateDefine() function loads the resource called ‘Web’… converts it to an Assembly … loading and invoking one of its functions.”
  • [T1548.001] Bypass User Account Control – Privilege escalation via UAC bypass is described as part of Warzone’s capabilities. “Privilege Escalation – UAC Bypass.”
  • [T1562.001] Impair Defenses – To evade antivirus, Warzone adds itself to Windows Defender exclusion lists. “To evade antivirus software, Warzone tries to add itself to the exclusion list of Windows Defender.”
  • [T1547.001] Boot or Logon Autostart Execution – Persistence is established by copying itself to a path (Adobe5151.exe). “To establish persistence, it also copies itself to the following path: C:UsersAdminDocumentsAdobe5151.exe.”
  • [T1583] Acquire Capabilities – Warzone RAT is described as Malware-as-a-Service (MaaS). “The final payload loaded into memory … Warzone Remote Access Trojan (RAT) … MaaS.”
  • [T1573.001] Encrypted Channel – The malware uses encrypted communication with its C2 server; the encryption key changes (e.g., ‘nevergonnagiveyouup’). “encrypted communication with its C2 server… the password/key for the encryption was the string ‘warzone160x00’… changed to the string ‘nevergonnagiveyouup’.”

Indicators of Compromise

  • [Filename] context – Uj bejelentkezEsi adatai·pdf.exe, KeyNormalize.dll, Metall.dll,
  • [SHA256 Hash] context – 21d09c77de01cc95209727752e866221ad3b66d5233ab52cfe5249a3867ef8d8, 8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63, 66319bf905acac541df26fecc90843a9a60fdbc1a8a03e33f024088f586cb941, 27743b5b7966384cc8ef9cfef5c7a11c8b176123b84c50192926c08ab7e6d7d7
  • [Network address] context – 171.22.30.72:5151 (C2 Server)

Read more: https://www.fortinet.com/blog/threat-research/fake-hungarian-government-email-drops-warzone-rat