# WARZONE RAT – Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents **blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-** documents/ July 1, 2021 Warzone RAT is part of an APT campaign named “Confucius.” Confucius APT is known to target government sectors of China and few other South Asian countries. This APT campaign was quite active around January 2021. Warzone RAT first emerged in 2018 as malware-as-a-service (MaaS) and is known for its aggressive use of “.docx” files as its initial infection vector. The initial payload is known as “Ave Maria Stealer,” which can steal credentials and log keystrokes on the victim’s machine. The advanced version of this malware is currently sold in the underground market for $22.95 per month and $49.95 for three months. The Warzone creators have an official website where it’s up for sale. ----- _Figure 1: Warzone website showing selling price_ These are the various features of the RAT mentioned on the website: Remote Desktop & Webcam Privilege Escalation – UAC Bypass Password Recovery Download & Execute. Live Keylogger Remote Shell Persistence Windows Defender Bypass We came across a cracked version of Warzone RAT on GitHub. Here is the screenshot of that repository: _Figure 2: A cracked version of warzone on GitHub_ Based on our research, we confirmed that the threat actor is trying to circumvent attacks with a decoy and manipulate users, delivering the next stage payload via template injection technique. In this blog, we are going to talk about “.docx” used as an initial attack vector and how it’s delivering its final payload -Warzone RAT. ## Technical Analysis: ----- _Figure 3: Attack Chain_ The various phases of the attack are: The victim opens the word document. This document further downloads an RTF exploit (CVE-2017-11882). Exploit in RTF is triggered and muka.dll is dropped and executed. Muka.dll downloads Warzone RAT. **Phase 1:** Here the infection chain starts with a “.docx” file. We can see below the decoy document (Hash: 59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c). This decoy document was crafted by attackers to induce the victims. ----- _Figure 4: Screenshot from the “Suparco Vacancy Notification.docx”_ ----- While executing, it uses the template injection technique to download the next stage RTF exploit. This exploit delivers a dll embedded final payload that connects to the domain to connect to the CNC to download payload Warzone Rat. We can see from the below image. _Figure 5: Using Template Injection Technique_ The RTF exploit is downloaded through “\word\_rels\settings.xml.rels” file present in document structure using template injection technique as shown below. _Figure 6: settings.xml.rels containing a link to the template_ **Phase 2:** The downloaded RTF file (Hash: _686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424) contains code_ that exploits an old vulnerability “CVE-2017-11882”. The flaw resides within equation editor (EQNEDT32.exe), a component in Microsoft office that inserts or edits object linking and embedding (OLE) Objects. We found that muka.dll is embedded in an OLE object. ----- _Figure 7: muka.dll embedded in an ole object_ **Phase 3:** The embedded muka.dll file (Hash: _1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126) contains export_ function zenu and this dll is used to provide functionalities to other programs. Here is an image showing this: _Figure 8: Export directory containing export function zenu_ **Phase 4:** Upon successful exploitation, the dll connects to a malicious domain (wordupdate.com) which is active nowadays also and downloads the final warzone payload. _Figure 9: Requesting access to the malicious domain_ The Warzone payload is saved as update.exe (Hash: _7dd1dba508f4b74d50a22f41f0efe3ff4bc30339e9eef45d390d32de2aa2ca2b)._ **Conclusion:** ----- Warzone RAT exploits a pretty old but popular vulnerability, CVE-2017-11882, in Microsoft s equation editor component. This RAT works as an Info stealer malware. Attackers typically spread such malware through document files as email attachments. We recommend our customers not to access suspicious emails/attachments and keep their AV software up-todate to protect their systems from such complex malware. We detect the initial infection vector as well as the final Warzone RAT as XML.Downloader.39387 and Trojan.GenericRI.S16988580 respectively. **IOCs:** DOCX:59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c RTF:686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424 DLL:1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126 EXE:7dd1dba508f4b74d50a22f41f0efe3ff4bc30339e9eef45d390d32de2aa2ca2b **Domains:** _recent.wordupdate.com_ _wordupdate.com_ **Ayush Puri** [Follow @](https://twitter.com/) -----