BlackBerry Prevents: Warzone RAT

RESEARCH & INTELLIGENCE / 12.17.21 / Hector Diaz, The BlackBerry Research & Intelligence Team

Warzone is a Remote Access Trojan (RAT) that is sold on a publicly available website as opposed to on the dark web, as a Malware-as-a-Service (MaaS) subscription-based platform. The initial subscription to the malware’s basic RAT builder is rather inexpensive, beginning at $22.95 per month, as it is designed to be targeted towards novice threat-actors.

Advanced features such as a rootkit, hidden process capability, premium dynamic DNS (DDNS), and customer support are available with the upgraded subscription. This premium version is called “Poison”, and it’s sold at a higher fee of $879 for a three-month subscription.

Threat actors can also choose to purchase builders for document-based exploit delivery, including a recently disclosed 2021 XLL Excel exploit that the malware author claims are fully undetected, for $2100 per month.

To see how BlackBerry prevents MaaS attacks from occurring, check out the following video, and watch BlackBerry go head-to-head with a live sample of Warzone RAT.

DEMO VIDEO: BlackBerry vs. Warzone RAT

Learn more about Warzone RAT in our deep dive blog, Threat Thursday: Warzone RAT Breeds a Litter of ScriptKiddies

Demo Video: How BlackBerry Stops Warzone RAT

Let’s investigate this incident with two key BlackBerry® solutions: BlackBerry® Protect and BlackBerry® Optics. BlackBerry Protect is an endpoint protection product that uses our Cylance® AI machine learning model to stop threats before they can execute, providing users with pre-execution protection.

BlackBerry Protect also provides full details on the malicious file’s properties, with an exhaustive list of threat indicators identifying file anomalies, collection, and destruction capabilities.

BlackBerry Optics gives you full transparency into the attempted system compromise. With BlackBerry Optics, you can conduct automated root-cause analysis where you can clearly see the chain of activities conducted by the user that led to an attack attempt. Using BlackBerry Optics, you can identify the source domain for this attack and visualize all the related network interactions.

A third product, BlackBerry® Gateway, can sense and stop this type of malicious network activity by blocking the traffic based on IP reputation, effectively preventing the installation script from getting the malicious payload from the Internet. Using BlackBerry Gateway, the administrator of the affected system can easily analyze the event and obtain all the relevant data they need to see where the attack came from, and why BlackBerry products activated to stop the attack before it began.

Our Prevention-First Philosophy

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill chain.

By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. It also helps to reduce infrastructure complexity and streamline security management, ensuring your business, people and endpoints are secure.

Video Transcription

“In this video, we’ll analyze Warzone, a Remote Access Trojan sold publicly targeting novice threat actors.

On this version of the RAT, it has hidden Remote Desktop Protocol (RDP) to allow remote access to the victim's endpoint without their being aware of it. Warzone RAT is highly configurable and the attacker can specify many different parameters and easily build the payload.

For this demo, we have configured our machine in audit-only mode to allow the malware to run. As soon as we execute it, Warzone silently deploys and starts looking for known file paths, stored credentials, etc. to potentially to gain quick wins, such as escalating privileges or stealing financial information from the unwitting victim.

If we look at Warzone's console, we can immediately see the compromised machine and how easily we can execute malicious activities on a target’s endpoint.

Let's assess our Predictive Advantage via BlackBerry Protect with a 6-year old machine learning (ML) model versus a newly created piece of malware. As you can see, our Cylance AI model can prevent Warzone RAT from running, pre-execution, without the machine requiring any updates or even Internet Connectivity.

As a final confirmation, we collected 100 samples of Warzone RAT, available on public threat repositories. Let's see how BlackBerry Protect does against them. Once again, you’ll see our Predictive Advantage prevents the execution of 100 different Warzone RAT payloads.

Prevention is Possible, with BlackBerry.”

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.

About Hector Diaz

Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.

Back