The Warzone RAT remote access Trojan (RAT ) was being sold online, and the U.S. Justice Department ( DoJ) announced the seizure of that infrastructure on Friday.
www. is one of the domains. [. ] warzone According to the DoJ, ws and three other individuals were “used to sell computer malware used by cybercriminals to secretly access and steal data from victims ‘ computers.”
In addition to the takedown, two people have been detained and charged in Malta and Nigeria with aiding other cybercriminals in using the RAT for malicious purposes as well as selling and supporting the malware.
Prince Onyeoziri Odinakachi ( 31 ) and Daniel Meli ( 27 ) have both been charged with “illegally selling and advertising an electronic interception device and participating in a conspiracy to commit several computer intrusion offenses,” respectively.
Meli is accused of providing malware services at least since 2012 by using RATs to carry out cyberattacks, sharing e-books, and online hacking forums. He had previously sold Pegasus RAT, which should not be confused with NSO Group’s peer-spyware, in addition to Warzone Rat.
Between June 2019 and no earlier than March 2023, Odinakachi offered Warzone RAT malware buyers online customer support, just like Meli did. On February 7, 2024, both people were taken into custody.
Yoroi first discovered Warzone RAT, also known as Ave Maria, in January 2019 as part of a cyberattack on an Italian oil and gas company at the end of 2018 using phishing emails containing fake Microsoft Excel files that took advantage of the Equation Editor’s well-known security flaw ( CVE-2017- 11882 ).
It serves as an information stealer and facilitates remote control, enabling threat actors to commandeer the infected hosts for follow-up exploitation. It is available for purchase under the malware as a service ( Maas ) model for$ 38 per month ( or$ 196 per year ).
The malware’s notable characteristics include its ability to access victim file systems, record keystrokes, steal user login information, and activate webcams on computers without the victim knowing or allowing it to do so.
According to Zscaler ThreatLabz,” Ave Maria attacks are started via phishing emails. Once the dropped payload infects the victim’s machine with malware, it establishes communication with the command-and-control ( C2 ) server on non-HTTP protocol after decrypting its C2 connection using the RC4 algorithm.”
The C/C++ malware’s creators referred to it as trustworthy and simple to use on one of the now-defunct websites with the tagline” Serving you loyally since 2018.” Additionally, they gave customers the option to email ( solmyr@warzone [. ] to get in touch with them. ws ), Skype ( vuln ), and Telegram (atsolwz and Sammysamwarzone ). hf ), as well as through a specific” client area.”
Discord was another way for users to reach an account with the ID Meli# 4472. @daniel96420 was a different Telegram account connected to Meli.
The malware has also been used over the past year by a number of sophisticated threat actors, including YoroTrooper and those connected to Russia, in addition to cybercrime groups.
According to the DoJ, Warzone RAT was secretly purchased by the US Federal Bureau of Investigation ( FBI ) and its nefarious activities were verified. Authorities from Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, and Europol all contributed to the coordinated exercise.