The Warzone RAT (Remote Access Tool) is in the spotlight of Check Point researcher Yaroslav Harakhavik. These "grab and deploy" malware-as-a-service (MaaS) tools are getting more popular among cyber-crooks, and those who create and sell them are making more money than ever before. This gives them the resources to create more user-friendly, powerful, and sophisticated tools so its a positive feedback loop for the whole exploitation industry. The Warzone RAT is a characteristic example of the existing MaaS market and the current situation in the field. It appeared for the first time in autumn 2018, and it has gone a long way since then.
The Warzone is written in C++ and it is compatible with all versions of Windows. It is supported by a dynamic DNS service so as to remain unaffected by IP address changes. It can plant itself in the Windows startup list, bypass the UAC (User Account Control), and disarm the Windows Defender protection. Of course, there are many different versions of the Warzone RAT, so its specific capabilities can change depending on the version.
The main features, that are generally present on all versions, are the following:
All of the above features are achieved without the need to use .NET.
The Warzone RAT is advertised via various online groups and forums, and on dedicated websites as well. The researcher has noted warzone[.]io and warzone [.]pw, but the domains are constantly updated. The malware author is offering various ways of communication too, using email, XMPP, Skype, and Discord.
As for the tiers offered for aspiring hackers, there’s a "Starter" pack that costs $22.95 and gives unlimited access for a month, a "Professional" plan that extends the access to three months and includes customer support and premium DDN, costing $49.95. Finally, there’s the top-tier "Warzone RAT-Poison" which carries the hefty price tag of $489. Via this last one, users get the RAT for six months, plus a rootkit, plus hidden files, hidden startup, and hidden processes.