Three judges in a courtroom, seated side by side and smiling.

US Law Enforcement Shut Down Warzone RAT, Resulting In Two Arrests

The US law enforcement claimed that the Warzone RAT cybercrime business was successfully terminated on February 9, 2024. This accomplishment is the outcome of a joint multinational law enforcement effort.

Two people in Malta and Nigeria have been arrested and charged because of the US law enforcement operation. They are accused with helping malicious individuals use the RAT (Remote Access Trojan) for malicious activities, promoting and selling the malware.

The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31), face charges of unauthorised damage to secured systems. Meli also faces charges of conspiring to commit several data breach offences and of unlawfully marketing and selling an electronic surveillance device.

The arrest of Daniel Meli, revealed his role in spreading the Warzone RAT, also known to as “AveMaria”. This remote access malware has an infamous criminal history in fraud.

A request from U.S. law enforcement agencies led to Meli’s arrest by the Malta police. On December 12, 2023, they had issued a criminal complaint against him.

Introduced in 2018, Warzone RAT is a generic malware that offers several functionalities to enable unlawful activity. These include UAC bypass, hidden remote desktop access, cookie and password theft, keylogging, webcam capture, file manipulation, reverse proxy usage, remote shell access, and process management capabilities.

In early 2023, Zscaler ThreatLabz reported:

Ave Maria attacks are initiated via phishing emails, once the dropped payload infects the victim’s machine with the malware, it establishes communication with the attacker’s command-and-control (C2) server on non-HTTP protocol, after decrypting its C2 connection using RC4 algorithm.

In January 2019, Yoroi’s research team became aware of Warzone RAT (AveMaria). It was first discovered in late 2018 during a cyberattack targeted against an Italian oil and gas company. The attack made use of a known security vulnerability in Equation Editor (CVE-2017-11882) by using phishing emails that contained fake Microsoft Excel files.

Meli and Odinakachi were both active in providing online customer support for the Warzone RAT malware from June 2019 until March 2023. The Malta Police Force and the Office of the Attorney General of Malta together executed an operation on February 7, 2024, which resulted in Meli’s arrest. The FBI and the U.S. Department of Justice (DOJ) provided support for this comprehensive effort.

Four internet domains connected to the selling of the Warzone RAT have been successfully taken over by authorities. Visitors to these domains will now see a takedown notice, stating that an association of foreign authorities has initiated enforcement action.

This joint effort brought together law enforcement from the United States, Canada, the Netherlands, Germany, Croatia, Malta, Romania, Finland, Australia, and Nigeria, with additional assistance from Europol.

A takedown notice from The US law enforcement
A takedown notice from The US law enforcement (DOJ)

Developers formerly advertised a C/C++ malware by calling it dependable as well as user-friendly on a website that was once up and running and was recognised for the motto “Serving you loyally since 2018”.

The website allowed access to the creators via a variety of channels, including email (solmyr@warzone[.]ws), Telegram (@solwz and @sammysamwarzone), Skype (vuln.hf), and a special ‘client area’.

A federal grand jury in the District of Massachusetts issued a second charge on January 30, 2024, against Prince Onyeoziri Odinakachi, a 31-year-old Nigerian. He is accused of providing customer care to cybercriminals who purchased access to the Warzone RAT.

The notice from the U.S. Department of Justice mainly links Meli to the malware’s spread and customer service. Whether he is the Warzone RAT’s actual author or creator is still unknown, though. If he is the owner, he must have designed it when he was 21 years old.

Daniel Meli is facing a serious legal problem. It is possible that he will receive a sentence of fifteen years in jail followed by three years of release on parole.

In addition, he faces serious penalties of up to $500,000 or double the gross gain or loss, whichever is greater, in connection with the charges brought against him. To bring Meli to trial in the United States, the Northern District of Georgia is actively seeking his release from Malta.

Urgent action is needed. If you believe you have been a victim of a Warzone RAT hack, take immediate action to secure your system. Report any incidents to the FBI, a leading authority on cybercrime.

Report incidents at:

To prevent the theft of company credentials, this involves hiding remote access servers behind VPNs, limiting access to devices that are visible to the public, turning on MFA, and providing phishing training.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts