HQ/EMEAFind out how we can help your business
Researchers have recently spotted a new attack activity involving the Warzone RAT spread through malicious email on phishing campaigns. Reports reveal that this new campaign targeted Hungarian users, with the hackers informing them about purported changes in their government portal accounts’ credentials.
Attached to the phishing email is a PDF file enclosed in a ZIP that the hackers said contained new information about the recipient’s government portal account changes. Once the malicious file is launched, it will extract the Warzone RAT to the victim’s computer memory and then run it.
According to the researchers, the campaign’s primary goal is for the hackers to gain remote access to the victims’ Microsoft Windows computers. They are also using [.]dll files and reverse engineering tactics to obfuscate their malicious activities further.
Warzone RAT, also known as Ave Maria Stealer, is a kind of malware commonly purchased by threat actors on underground forums through a subscription model.
Threat actors who opted to subscribe to the WarZone RAT services are offered various functionalities, including recording keystrokes, harvesting cookies, providing remote access to the victim’s machine, collecting passwords, and maintaining persistence.
Researchers also note that the Warzone RAT could escalate the hacker’s privileges in a compromised Windows machine, depending on its version.
It is known that numerous organisations worldwide have made use of remote access tools for accessing files and data on distant computers. However, cybercriminals have also leveraged the tool to launch cyberattacks, especially with how it helps them target people from a distance.
Security experts have often seen threat actors abusing remote access tools to install backdoor malware on computers and take over their systems. Thus, many perilous RATs, such as Warzone, BitRAT, RedLine, Remcos, and Nanocore, are available on the dark web.
Only last September when researchers discover the Russia-based Sandworm APT gang targeting Ukraine with a phishing campaign that involves impersonating telecom providers. The campaign was believed to be aimed at spreading Warzone RAT and Colibri Loader on the affected machines.
Experts stress that while these malware strains are spread through phishing campaigns, organisations must equip themselves with stronger security protocols and enhance people’s knowledge about evading being a victim.
