The U.S. Justice Department (DoJ) announced a significant operation on Friday involving the seizure of online infrastructure linked to the distribution of a remote access trojan (RAT) known as Warzone RAT. This infrastructure comprised several domains, including a notable one, www.warzone[.]ws. These sites reportedly facilitated the sale of malware, enabling cybercriminals to secretly infiltrate victims’ computers and extract sensitive data.
As part of the broader initiative, law enforcement agencies in multiple countries collaborated to apprehend and indict two individuals involved in this malicious operation. The suspects, identified as Daniel Meli from Malta and Prince Onyeoziri Odinakachi from Nigeria, face charges related to unauthorized damage to protected computers. Meli is additionally accused of illegally selling and promoting an electronic interception device and engaging in a conspiracy linked to multiple computer intrusion offenses. Both individuals were taken into custody on February 7, 2024.
Meli’s alleged involvement in the malware ecosystem dates back to at least 2012, during which he reportedly offered various malware services on online hacking forums, assisted novices in executing cyber attacks, and previously marketed another RAT known as Pegasus RAT. Similarly, Odinakachi is believed to have provided customer support to Warzone RAT users from June 2019 until at least March 2023.
Warzone RAT, recognized in malware circles as Ave Maria, was first uncovered in early 2019, with initial documentation detailing cyber attacks targeting the oil and gas sector in Italy. These attacks utilized phishing emails with malicious Microsoft Excel attachments exploiting a well-known security vulnerability, CVE-2017-11882. Warzone RAT operates on a malware-as-a-service model, available for a subscription fee of $38 per month or a lump sum of $196 for a year. Its functionalities include enabling remote control over infected systems, facilitating data theft through methods such as browsing victim file systems, capturing screenshots, logging keystrokes, and surreptitiously activating webcams.
The attack methodology employed by Warzone RAT typifies several tactics outlined in the MITRE ATT&CK framework, particularly initial access, which is primarily achieved through phishing. The malware establishes communication with the attacker’s command-and-control server using non-HTTP protocols, employing decryption techniques ensure stealth. The malware’s developers have characterized the software as reliable and user-friendly, even providing multiple avenues for support, including email, Telegram, and a client portal.
In addition to its nefarious use by cybercriminal groups, Warzone RAT has attracted attention from advanced threat actors, including those affiliated with Russian hacking operations over the past year. The DoJ confirmed that the FBI covertly procured Warzone RAT instances to validate its capabilities. The coordinated effort to dismantle this infrastructure was supported by international law enforcement agencies from Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, as well as Europol.
This operation underscores the importance of vigilance among businesses to mitigate the risks posed by such sophisticated cyber threats. Understanding the tactics and techniques associated with these types of malware aligns with a proactive approach to cybersecurity. Business owners must stay informed of evolving threats and continuously adapt their security measures to safeguard sensitive data against increasingly sophisticated attacks.
