Threat Intelligence Lab

Warzone RAT

International Crackdown on Warzone RAT Malware Service

Written by

Reza Rafati
— in

ThreatIntelligenceLab.com

In an unprecedented move, federal authorities, led by the FBI and supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT), have successfully dismantled an international malware service.

This operation, which took place on February 7, 2024, targeted a malware known as the Warzone Remote Access Trojan (RAT), used by cybercriminals to infiltrate thousands of unsuspecting consumers’ computers globally.

Arrests and International Collaboration

The operation culminated in the arrest of two suspects in Malta and Nigeria1, accused of selling the malware and aiding cybercriminals in their malicious endeavors.

The success of this operation was bolstered by an extensive international collaboration involving Australia, Canada, Croatia, Finland, Germany, Malta, the Netherlands, Nigeria, Romania, and the United States.

These countries played pivotal roles in securing the servers hosting the Warzone RAT infrastructure.

The Menace of Warzone RAT

Warzone RAT enabled cybercriminals to perform a variety of malicious activities covertly.

They could browse through victims’ file systems2, take screenshots, record keystrokes, steal usernames and passwords, and even access victims’ webcams without their knowledge.

Get to know the RAT

What is the Warzone RAT?

WarZone RAT, a Remote Access Trojan developed in C++, is marketed as malware-as-a-service. This software comes with an extensive set of functionalities, enabling it to pilfer files and passwords from victims as well as record desktop activities. Predominantly spread through phishing emails, the RAT maintains communication with its command and control server (C2) to receive consistent updates. It is also recognized by the aliases AVE_MARIA or Ave Maria. Recently, a significant international law enforcement effort led to the takedown of this malicious service, disrupting its operations and marking a crucial victory in the fight against cybercrime.

What are the functions of the Warzone RAT?

Hidden control: Attackers secretly take over the victim’s computer to manipulate and steal data invisibly. Password theft: The malware retrieves passwords from browsers and email clients. File manipulation: Hackers can manage files on the infected system, including uploading, downloading, and executing various payloads. Keylogging: WarZoneRAT records keystrokes to capture sensitive information like passwords and credit card details. Screen monitoring: It can track desktop activity and capture screenshots. Updatable: Receives updates from its control server to enhance capabilities and bypass security measures.

What are some Warzone RAT checksums?

Well, firstly, you can take a look at this Warzone RAT Virustotal report3. It will certainly help you forward. Then we have this any.run page4, it has a list of checksums that you can use. Here are some of Warzone RAT checksums: F5E9AF8A842E3D0AB3B48E83151A43A1514ED4F8772DA1819D27558B62901B3B, C3A58B2823CBB861F4BBB350CFFFC4FC39875F38AD6AF221DEF83031EEF1E0E3.

Warzone RAT report on Virustotal
Warzone RAT report on Virustotal

Legal Actions and Indictments

In the wake of the operation, U.S. Attorney Ryan K. Buchanan emphasized the pursuit of justice5 against individuals like Daniel Meli from Malta. He also stressed the importance of holding Prince Onyeoziri Odinakachi from Nigeria accountable. Both were pivotal in supporting the distribution of the malware.

These indictments serve as a stern warning to cybercriminals worldwide. They highlight the reach and determination of international law enforcement in combating cybercrime.

Seeking Justice and Support for Victims

In the aftermath of the takedown, it’s crucial to address the needs of those directly affected by this malware6. Victims of the RAT, or anyone suspecting they’ve been compromised by this insidious software, are encouraged to seek support and report their experiences7.

A platform is set up at https://wzvictims.ic3.gov/ for victims to report their malware experience. It collects crucial details for investigations and prevention.

Reporting here aids in battling cybercrime and supports victims through tough times.

Warzone RAT info video by Europol

To conclude

The Warzone RAT malware’s dismantling showcases global cooperation’s strength against cybercrime. Moving forward, ongoing vigilance and collaboration remain crucial.

  1. https://www.justice.gov/usao-ndga/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware ↩︎
  2. ↩︎
  3. https://www.virustotal.com/gui/file/f5e9af8a842e3d0ab3b48e83151a43a1514ed4f8772da1819d27558b62901b3b ↩︎
  4. https://any.run/malware-trends/avemaria ↩︎
  5. https://www.justice.gov/opa/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware-sales ↩︎
  6. https://www.europol.europa.eu/media-press/newsroom/news/international-cybercrime-malware-service-targeting-thousands-of-unsuspecting-consumers-dismantled ↩︎
  7. https://wzvictims.ic3.gov/ ↩︎

Written by

Reza Rafati
Reza Rafati is an experienced cyber security professional. He is the founder of Threat Intelligence Lab. He has extensive experience in the field of cyber threat intelligence, cyber takedowns, and cyber threat landscapes.