In a significant blow to cybercriminals worldwide, the U.S. Justice Department (DoJ) has successfully seized several online domains used to sell the remote access trojan (RAT) known as Warzone RAT. The operation, carried out in collaboration with law enforcement agencies from various countries, has also led to the arrest and indictment of two individuals involved in the distribution and support of the malicious software.

The seized domains, including www.warzone[.]ws, were utilized to sell computer malware that allowed cybercriminals to clandestinely access and steal sensitive data from victims' computers, according to the DoJ. Alongside the takedown, two suspects, identified as Daniel Meli (27) and Prince Onyeoziri Odinakachi (31), were apprehended in Malta and Nigeria, respectively.

Meli and Odinakachi have been charged with unauthorized damage to protected computers. Meli faces additional accusations, including the illegal sale and advertisement of an electronic interception device, as well as participation in a conspiracy to commit multiple computer intrusion offenses. Meli was allegedly involved in offering malware services since 2012 through online hacking forums, sharing e-books, and assisting other criminals in carrying out cyber attacks using RATs. Prior to Warzone RAT, he had also sold another RAT called Pegasus RAT.

Odinakachi, on the other hand, provided online customer support to buyers of the Warzone RAT malware between June 2019 and at least March 2023. Both individuals were arrested on February 7, 2024.

Warzone RAT, also known as Ave Maria, came into prominence in January 2019 when it was used in a phishing attack targeting an Italian organization in the oil and gas sector. The malware exploited a known security flaw in the Equation Editor ( CVE-2017-11882 ) through phishing emails containing counterfeit Microsoft Excel files. Priced at $38 per month ($196 for a year) under the malware-as-a-service (Maas) model, Warzone RAT facilitates remote control and acts as an information stealer, enabling threat actors to take control of compromised systems for further exploitation.

The malware boasts several notable features, including the ability to browse victim file systems, record keystrokes, take screenshots, steal usernames and passwords, and even activate webcams without the victim's consent. Zscaler ThreatLabz described Ave Maria attacks as being initiated through phishing emails, with the malware establishing communication with the attacker's command-and-control server using non-HTTP protocols and decrypting its connection using the RC4 algorithm.

The now-dismantled websites associated with Warzone RAT promoted the malware as a reliable and user-friendly tool. Customers could reach out to the developers via email (solmyr@warzone[.]ws), Telegram (@solwz and @sammysamwarzone), Skype (vuln.hf), and a dedicated "client area."

Interestingly, Warzone RAT has been employed not only by cybercrime groups but also by advanced threat actors such as YoroTrooper and individuals associated with Russia in the past year.

The DoJ's efforts were aided by the U.S. Federal Bureau of Investigation (FBI), which covertly purchased copies of Warzone RAT to confirm its illicit functionalities. The operation involved the collaboration of authorities from Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, and Europol.

This joint international crackdown represents a major victory in the ongoing battle against cybercrime, reinforcing the commitment of law enforcement agencies worldwide to protect individuals and organizations from the malicious activities of cybercriminals.