An FBI-led international operation this month seized several domains that were used to sell the notorious WarZone malware that BlackBerry researchers once described as “the Remote Access Trojan (RAT) of choice for aspiring miscreants on a budget.”

At the same time, the FBI arrested two people – one from Malta and the other Nigeria – who were involved in selling the WarZone RAT and supporting hackers who used it in their campaigns.

The goal in seizing the warzone[.]ws and three related domains was to target the infrastructure used to distribute WarZone, which is offered as a malware-as-a-service (MaaS) for use by other cybercriminals. The sophisticated malware allowed hackers to secretly get access into targets’ computers and steal data such data as usernames and passwords, take screenshots, record keystrokes, and use the systems’ web cameras to watch victims.

The operation was directed by the FBI in Boston and Atlanta and was run in cooperation with international law enforcement via Europol, according to the U.S. Justice Department. The investigators were able to not only discover instances of WarZone being used in campaigns in Massachusetts to attack computers but also covertly bought and analyzed the malware, giving them greater knowledge of the functions it could run.

“Separately, law enforcement partners in Canada, Croatia, Finland, Germany, the Netherlands, and Romania provided valuable assistance securing the servers hosting the Warzone RAT infrastructure,” the DOJ wrote.

A Long-Time Problem

WarZone RAT – also known as Ave Maria RAT – was first detected in late 2018, with the BlackBerry researchers saying that by 2020, it had become a major malware strain in 2020. They noted its range of functions but said its primary use was as an information stealer. The malware poses as a legitimate commercial IT administration tool, with basic plans sold for $37.95 a month, “far cheaper than other apex MaaS strains.”

The low cost made it easier for smaller and less-skilled cybercriminals to use WarZone in their attacks.

They wrote that WarZone was available via one-, three-, and 12-month licenses and included an optional DNNS service, which is used by threat groups to hide the location of the command-and-control (C2) servers used by the malware operators. They added that cracked versions of WarZone could be found on the dark web.

There also are instruction videos on YouTube for learning the how to deploy the malware and administer the C2 servers, BlackBerry added.

In a blog post last year, Splunk researchers wrote that the WarZone “is notorious for distributing spam email campaigns to disseminate its malware. These spam emails are cleverly crafted to include a malicious attachment, which takes advantage of CVE-2017-11882, a vulnerability in Microsoft Equation Editor, to infect unsuspecting victims’ systems.”

Two Indicted

At the request of U.S. officials, Daniel Meli was arrested last week in Malta. The 27-year-old Malta citizen, who was indicted in federal court in Georgia in December 2023, is accused of selling malware products and services since at least 2012 to cybercriminals through online hacking forums. He offered teaching tools, including an eBook and allegedly sold both WarZone and the Pegasus RAT, which he sold through Skynet-Corporation, which the DOJ described as an “online criminal organization.”

Meli also is accused of providing online customer support for both RATs. He is charged with unauthorized damage to protected computers, illegally selling and advertising an electronic interception device, and participating in a conspiracy to commit several computer intrusion offenses.

The DOJ wants to extradite him back to the United States. Meanwhile, Prince Onyeoziri Odinakachi, a 31-year-old Nigerian native, was indicted by a federal court in Massachusetts last month and arrested in Nigeria on February 7. Odinakachi is accused of providing online customer support between June 2019 and March 2023 to people who bought and used WarZone.

He is charged with conspiring to commit multiple computer intrusion offenses, including obtaining authorized access to protected computers to obtain information and causing unauthorized damage to protected computers.

Targeting the Hackers’ Infrastructures

The operation is the latest example of efforts by the DOJ, FBI, and international law enforcement to attack the infrastructure used by cybercriminal gangs. Agencies made a splash in early 2023 when the DOJ announced the seizure of computers used by the Hive ransomware group, which officials said had targeted more than 1,500 victims in 80 countries and racking up more than $100 million in ransoms.

The FBI was able to infiltrate Hive’s network in 2022, spending six months inside collecting information before shutting it all down.

The FBI also distributed decryption keys to more than 1,300 victims, enabling them to regain their captured data. Officials said at the time that the decryption keys saved $130 million in ransoms from being paid, though Chainalysis said in a report this month that the operation likely saved at least $210.4 million.

Law enforcement isn’t done with Hive, with the DOJ announcing last week a $10 million reward for information leading to the identification or location of the group’s leaders.

More recent disruption efforts targeted the Qakbot botnet and BlackCat (also known as ALPHV) ransomware-as-a-service (RaaS) groups – both in 2023 – and a botnet comprising hundreds of U.S.-based home office and small office network routers used by the China-sponsored Volt Typhoon group.