Fortinet threat researchers demonstrate a technique to use the net obfuscator against itself to reveal strings from a Warzone RAT variant, focusing on decoding encoded strings stored in a resource. The post walks through implementing a custom decoder in Visual Studio by leveraging the malware’s own String.Get() logic to recover hidden strings, illustrating a practical deobfuscation workflow. #WarzoneRAT #SmartAssembly
Keypoints
- Phishing context: the analysis references a fake Hungarian government phishing email that drops the Warzone RAT.
- Malware obfuscation: KeyNormalize.dll was obfuscated with SmartAssembly, with partial decoding possible via De4dot but strings remained hidden.
- String decoding approach: the Strings.Get() method decodes strings from encoded resources, revealing usable strings at runtime.
- Resource-based encoding: strings are loaded from a resource (example: {d0d17239-57f1-4b72-b2aa-7b2e35d8851d}) and transformed into Strings.bytes before final decoding.
- Decoder implementation: the author builds a custom decoder in Visual Studio by copying the Strings class and wiring it into a simple main program.
- Conclusion and takeaway: using the obfuscator’s own code to deobfuscate strings can accelerate malware analysis and reduce reimplementation effort.
MITRE Techniques
- [T1566.001] Phishing – The article references a fake Hungarian government phishing email that drops the Warzone RAT. – ‘fake Hungarian government phishing email that drops the Warzone RAT.’
- [T1140] Deobfuscate/Decode Files or Information – The piece shows decoding strings with the Strings.Get() approach to recover data hidden in the binary. – ‘The Strings.Get() function that accepts some kind of integer value.’
- [T1027] Obfuscated/Compressed Files or Information – The malware is obfuscated with SmartAssembly; De4dot could not decode all strings. – ‘The DLL was obfuscated with an obfuscation tool called SmartAssembly.’
- [T1132] Data Encoding – The decoding process involves base64 conversion and string encoding to produce the final string. – ‘base64 conversion and string encoding are performed, which results in the final string returned in the result variable.’
Indicators of Compromise
- [Filename] context – Uj bejelentkezEsi adatai·pdf.exe, KeyNormalize.dll, Metall.dll, and
- [SHA256] file hashes – 21d09c77de01cc95209727752e866221ad3b66d5233ab52cfe5249a3867ef8d8, 8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63, and 2 more hashes (e.g., 66319bf905acac541df26fecc90843a9a60fdbc1a8a03e33f024088f586cb941, 27743b5b7966384cc8ef9cfef5c7a11c8b176123b84c50192926c08ab7e6d7d7)
- [Network Address] C2 Server – 171[.]22[.]30[.]72:5151
- [Resource] Embedded resource identifier – {d0d17239-57f1-4b72-b2aa-7b2e35d8851d}, encoded_strings.resource