WarZoneRAT Analysis

IOB - Indicator of Behavior (65)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en54
de12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us22
es8
de8
it4
sh2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Remcos2
AsyncRAT2
Nanocore RAT2
BitRAT2
NjRAT2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined20
Operating System6
Content Management System6
Hosting Control Software4
Router Operating System4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined18
Microsoft8
QNAP4
HPE4
Wind River2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows6
cPanel4
QNAP QTS4
HPE Intelligent Management Center4
ownCloud2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Apache HTTP Server mod_proxy server-side request forgery7.37.3$25k-$100k$25k-$100kNot DefinedNot Defined0.060.97544CVE-2021-40438
2Microsoft Excel memory corruption7.06.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.01351CVE-2020-0650
3QNAP QTS Photo Station cross site scripting4.84.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00105CVE-2020-2491
4QNAP QTS/QuTS Hero/QuTScloud HBS 3 Hybrid Backup Sync improper authorization6.36.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000.91547CVE-2021-28799
5Microsoft Windows DNS Service memory corruption6.35.9$25k-$100k$0-$5kHighOfficial Fix0.040.96944CVE-2007-1748
6OpenSSH Readonly Mode sftp-server.c process_open permission5.35.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.00831CVE-2017-15906
7PHP SoapClient query null pointer dereference6.46.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.00433CVE-2021-21702
8CASAP Automated Enrollment System users.php cross site scripting4.44.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.010.00451CVE-2021-3294
9Microsoft Dynamics NAV/Dynamics 365 Business Central cross site scripting4.74.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.000.00067CVE-2021-1724
10Wind River VxWorks calloc memory corruption7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.040.00076CVE-2020-28895
11B&R GateManager 4260/GateManager 9250 log file4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.070.00054CVE-2020-11646
12B&R GateManager 4260/GateManager 9250 information disclosure4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.050.00092CVE-2020-11643
13GitLab Community Edition/Enterprise Edition NuGet API denial of service5.45.1$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00081CVE-2021-22168
14Cisco Linksys EA2700 URL information disclosure4.34.1$5k-$25k$0-$5kProof-of-ConceptUnavailable0.040.00000
15Cisco Small Business Web-based Management Interface stack-based overflow7.27.0$5k-$25k$5k-$25kNot DefinedWorkaround0.000.00221CVE-2021-1210
16Jenkins File Browser link following6.06.0$0-$5k$0-$5kNot DefinedNot Defined0.020.00065CVE-2021-21602
17BigProf Online Invoicing System pageEditGroup.php cross site scripting3.53.5$0-$5k$0-$5kNot DefinedOfficial Fix0.010.00046CVE-2020-35677
18Epson EpsonNet SetupManager DLL untrusted search path5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.030.00097CVE-2020-5681
19Basti2web Book Panel books.php sql injection7.37.0$0-$5k$0-$5kHighOfficial Fix0.160.00064CVE-2009-4889
20ImageMagick bmp.c integer overflow4.44.3$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00073CVE-2020-27772

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1185.19.85.163WarZoneRAT07/12/2022verifiedHigh
2XXX.XXX.XX.XXXXxxxxxxxxx07/12/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (12)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1055CWE-74InjectionpredictiveHigh
2T1059CWE-94Cross Site ScriptingpredictiveHigh
3T1059.007CWE-79Cross Site ScriptingpredictiveHigh
4TXXXXCWE-XXX, CWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxx Xxxxxxxxxxx Xxx Xxx XxxxxxxpredictiveHigh
5TXXXXCWE-XXXXxxx Xxx Xxxxxxxxx Xxxxxxxxxxx XxxxxxxxpredictiveHigh
6TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
7TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
8TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
10TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
11TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (24)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/syslogpredictiveHigh
2File/see_more_details.phppredictiveHigh
3Fileadmin/admin_users.phppredictiveHigh
4Fileadmin/pageEditGroup.phppredictiveHigh
5Filexxxxx.xxxpredictiveMedium
6Filexxx.xxxpredictiveLow
7Filexxxxxx/xxx.xpredictiveMedium
8Filexxxxxxx.xxxpredictiveMedium
9Filexxxxx.xxx/xxxx/xxxxx/xxxx/xxxx.xxxpredictiveHigh
10Filexxxx_xxxxxxx.xxxpredictiveHigh
11Filexxxxx_xxx.xxxpredictiveHigh
12Filexxxxxxxx.xxxpredictiveMedium
13Filexxxx.xxxpredictiveMedium
14Filexxxx-xxxxxx.xpredictiveHigh
15Filexxxxx.xxxpredictiveMedium
16Libraryxxxxxx.xxxpredictiveMedium
17ArgumentxxxxxxpredictiveLow
18ArgumentxxxpredictiveLow
19ArgumentxxxxxpredictiveLow
20ArgumentxxpredictiveLow
21ArgumentxxxxxxxxpredictiveMedium
22ArgumentxxxpredictiveLow
23ArgumentxxxxpredictiveLow
24Pattern|xx xx xx|predictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!