U.S. Justice Department Takes Down Warzone RAT Cybercrime Network

In a decisive blow against cybercrime, the U.S. Justice Department has successfully disrupted the operations of the sophisticated Warzone [Remote Access Trojan (RAT)](https://www.justice.gov/opa/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware-sales). This pernicious malware, known as [Warzone RAT](https://web.archive.org/web/20230702215535/https://warzone.ws/) or Ave Maria, was designed to covertly infiltrate victims’ computers, allowing attackers to harvest sensitive information and control the compromised systems remotely.

The shuttered online marketplace had operated across several domains, with www.warzone[.]ws as its linchpin. Here, hackers retailed this invasive software to cybercriminals worldwide. This concerted enforcement action saw the seizure of the connected domains and the arrests of two individuals, Daniel Meli and Prince Onyeoziri Odinakachi from Malta and Nigeria, respectively. Meli, a seasoned vendor in the malware trade since 2012 and Odinakachi, who furnished customer support for Warzone RAT, now face federal charges in the United States.

Warzone RAT had evinced its virulence as early as late 2018 when it struck an Italian enterprise within the oil and gas sector. Investigations revealed that these attacks leveraged phishing emails as a delivery mechanism, with embedded malicious Excel files exploiting the CVE-2017-11882 vulnerability, a known security flaw in the Equation Editor. According to analysis by [Cybaze-Yoroi ZLab](https://yoroi.company/en/research/the-ave_maria-malware/), the malware transmitted stolen data to a command-and-control server using advanced encryption and evasion techniques.

Warzone RAT’s attributes were sinisterly versatile. It facilitated file browsing, keystroke logging, and credential theft, alongside unauthorized activation of webcams. The malware-as-a-service model underscored its broad utility amongst cybercriminal actors, including those linked to Russia—as emphasized by research from [Morphisec Labs](https://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery).

In an intricate operation, the FBI even acquired copies of the RAT to authenticate its reported capabilities. The global scale of collaboration in this crackdown is a testament to the gravity of the threat posed by such malware tools. Assisting in the takedown were law enforcement and intelligence agencies from Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, and Europol.

The DoJ’s action undeniably serves as a stern warning to cybercriminals. It underscores the commitment of federal and international law enforcement to dismantling the infrastructural edifices of cybercrime and holding accountable those complicit in these malignant ventures. The [arrests](https://www.splunk.com/en_us/blog/security/defending-the-gates-understanding-and-detecting-ave-maria-warzone-rat.html) of the key operators of the Warzone RAT represent significant milestones in the continuous battle against digital threats and highlight the intricate work involved in protecting cybersecurity globally.

Victims of Warzone RAT intrusions are encouraged to reach out to the FBI, which could help provide a more comprehensive understanding of the malware’s reach and potentially aid in mitigating future attacks. Concerned individuals and organizations can find support through official channels like the [Warzone victims’ reporting portal](https://www.zscaler.com/blogs/security-research/dynamic-approaches-seen-avemaria-s-distribution-strategy) as authorities press on with their mission to safeguard cyberspace for all users.