International Crackdown: Seizing Domains Selling Stealthy Warzone RAT

The United States Department of Justice has announced the seizure of online infrastructure utilized for the sale of a Remote Access Trojan (RAT) named Warzone RAT, including the confiscation of four domains, one of which is www.warzone[.]ws.

In a coordinated international law enforcement effort, two individuals were arrested and charged in Malta and Nigeria for their involvement in the marketing and support of this malicious software, as well as facilitating its use by other cybercriminals for nefarious purposes.

Daniel Meli, aged 27, and Prince Onyeoziri Odinakachi, aged 31, face charges of unauthorized impairment of protected computers, with the former also accused of illegal sale and advertisement of an electronic interception device, and participation in a conspiracy to commit multiple computer intrusions.

It is alleged that Meli has been offering malicious software services since at least 2012 through hacker forums, distributing e-books, and assisting other criminals in employing RAT for cyberattacks. Similarly, Odinakachi has provided online support for purchasers of the Warzone RAT malware since June 2019.

Sold on a Malware-as-a-Service (MaaS) basis for $38 per month (or $196 annually), Warzone RAT operates as an information stealer and remote management tool, enabling the perpetrator to capture infected hosts for further exploitation. Noteworthy features of the malware include the ability to browse victim file systems, capture screenshots, record keystrokes (keylogging), steal victim credentials, and discreetly activate computer webcams.

The Department of Justice reported that the FBI covertly acquired copies of Warzone RAT and confirmed its malicious capabilities. This coordinated operation involved assistance from authorities in Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, and Europol.