US DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators

February 11, 2024NewsroomMalware / Cybercrime

Warzone RAT Infrastructure

The US Justice Department (DoJ) announced on Friday the seizure of online infrastructure used to sell a remote access trojan (RAT) called Warzone RAT.

The domains – www.warzone(.)ws and three others – “used to sell computer malware that cybercriminals use to secretly access and steal data from victims’ computers,” the DoJ SAYS.

Along with the removal, the international law enforcement effort arrested and charged two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and helping other cybercriminals use the RAT for malicious purposes.

The accused, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) were charged with unauthorized damage to protected computers, with the former also charged with “illegal sale and advertising of an electronic interception device and -engaged in a conspiracy to commit multiple computer intrusion offenses.”

Cybersecurity

Meli has allegedly offered malware services at least since 2012 through online hacking forums, sharing e-books, and helping other criminals use RATs to carry out cyber attacks. Before the Warzone RAT, he sold another RAT known as the Pegasus RAT.

Like Meli, Odinakachi also provided online customer support to those who purchased the Warzone RAT malware between June 2019 and no earlier than March 2023. Both individuals were arrested on February 7, 2024.

Warzone RAT, also known as Ave Maria, is first documented by Yoroi in January 2019 as part of a cyber attack targeting an Italian organization in the oil and gas sector until the end of 2018 using phishing emails containing fake Microsoft Excel files which exploits a known security flaw in the Equation Editor (CVE-2017-11882) .

Sold under the malware-as-a-service (Maas) model for $38 a month (or $196 for a year), it functions as a information stealer and performs remote control, thereby allowing threat actors to command infected hosts for subsequent exploitation.

Some of the malware’s notable features include the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and activate computer webcams. without the knowledge or consent of the victim.

“Ave Maria attacks are initiated through phishing emails, once the dropped payload infects the malware victim’s machine, it establishes communication with the attacker’s command-and-control (C2) server of the non-HTTP protocol, after decrypting its C2 connection using the RC4 algorithm,” Zscaler ThreatLabz SAYS in early 2023.

Cybersecurity

On one of the now defunct websites, with the tagline “Loyalty serving you since 2018,” the developers of the C/C++ malware described it as reliable and easy to use. They also provide the ability to customers Contact them via email (solmyr@warzone(.)ws), Telegram (@solwz and @sammysamwarzone), Skype (vuln.hf), as well as through a dedicated “client area.”

An additional method of contact is Discord, where users are asked to contact an account with the ID Meli#4472. Another Telegram account linked to Meli is @daniel96420.

Outside of cybercrime groups, the malware has also been used by more advanced threat actors such as YoroTrooper as well as Russian partners in the past year.

The DoJ said that the US Federal Bureau of Investigation (FBI) secretly purchased copies of the Warzone RAT and confirmed its malicious functions. The coordinated exercise included assistance from authorities in Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, and Europol.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment