The US Department of Justice (DoJ) on Friday announced the seizure of online infrastructure used to sell a remote access trojan (RAT) called Warzone RAT.
The domains – www.warzone[.]ws and three others – were “used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers,” the DoJ said.
In addition to the removal, international law enforcement arrested and charged two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and for helping other cybercriminals use the RAT for malicious purposes.
The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) were accused of unauthorized damage to protected computers, the former also accused of “illegal sale and advertising of an electronic interception device and participation in an association a crime aimed at committing various computer intrusions”. crimes.”
Meli is alleged to have offered malware services since at least 2012 through online hacking forums, sharing e-books, and helping other criminals use RATs to launch cyber attacks. Before Warzone RAT, you had sold another RAT known as Pegasus RAT.
Like Meli, Odinakachi also provided online customer support to buyers of the Warzone RAT malware between June 2019 and no earlier than March 2023. Both individuals were arrested on February 7, 2024.
Warzone RAT, also known as Ave Maria, was first documented by Yoroi in January 2019 as part of a cyberattack against an Italian oil and gas organization in late 2018 using phishing emails containing bogus Microsoft Excel files that exploited a known security flaw in the equation editor (CVE-2017-11882).
Sold under the malware-as-a-service (Maas) model for $38 per month (or $196 per year), it works as an information stealer and facilitates remote control, thus allowing threat actors to commandeer hosts infected for further operations. exploitation.
Some of the notable features of the malware include the ability to explore victims’ file systems, take screenshots, log keystrokes, steal victims’ usernames and passwords, and activate computer webcams without the victim’s knowledge or consent.
“Hail Mary attacks are initiated via phishing emails, once the downloaded payload infects the victim’s machine with malware, establishes communication with the attacker’s command and control (C2) server over non-HTTP protocol, after decrypting its C2 connection using RC4 algorithm,” Zscaler ThreatLabz said in early 2023.
On one of the now dismantled websites, which bore the slogan “We have been serving you faithfully since 2018,” the developers of the C/C++ malware described it as reliable and easy to use. They also provided customers with the ability to contact them via email (solmyr@warzone[.]ws), Telegram (@solwz and @sammysamwarzone), Skype (vuln.hf), as well as through a special “customer area”.
A further avenue of contact was Discord, where users were asked to get in touch with an account with the ID Meli#4472. Another Telegram account linked to Meli was @daniel96420.
Outside of cybercrime groups, the malware has also been used by several advanced threat actors such as YoroTrooper and those associated with Russia over the past year.
The DoJ claimed that the US Federal Bureau of Investigation (FBI) secretly purchased copies of Warzone RAT and confirmed its nefarious functions. The coordinated exercise involved assistance from authorities in Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania and Europol.