Sezied notice on Warzone site

Warzone RAT infrastructure seized

On February 9, 2024, the Justice Department announced that an international operation had seized internet domains that were selling information-stealing malware. Federal authorities in Boston seized www.warzone.ws and three related domains, which sold the Warzone RAT malware.

The Warzone RAT malware, a sophisticated Remote Access Trojan (RAT), enabled cybercriminals to browse victims’ file systems, take screenshots, record keystrokes, steal victims’ usernames and passwords, and watch victims through their web cameras, all without their knowledge or permission.

On February 7, 2024, two suspects were arrested in Malta and Nigeria, accused of selling the malware and supporting cybercriminals who used it for malicious purposes.

The operation was led by the FBI, and supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT).

Anyone who is a victim of a Warzone RAT computer intrusion is urged to report it to the FBI via its Warzone RAT Victim Reporting Form.

Signs of infection

There are some know Indicators of Compromise (IOCs) for recent versions of the Warzone RAT (aka AveMaria Stealer):

SHA 256 hashes:

0246d4eb99473ba449b98548167d0767b68b075749a8962d0573851f505689b5

19dba570adb979d9063882d8dd6d880d1f37f25e600cc07097646946ebc947a2

7de4fbda4834453be39c6e20697ab0cde46cf417c953a2f1ba3ab63442d49981

94f836d1cd5bfe8a245a0b66076c86506f53b2fae38ed5da7b2f13cfa07b6cac

b66c5ebef83e48811156c3499b79c798c178d5655d6448403cb070061aba4f4d

dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21

de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488

Warzone RAT is usually spread by emails that use social engineering methods to trick the receiver into downloading and triggering the infection.

General signs that a RAT is active on your system may be:

  • A slow computer and seemingly slow internet connection.
  • Unknown processes in Task Manager.
  • Missing or altered files on your system.
  • Unknown entries in the list of installed programs/software.

Prevention

To keep RATs off your systems, the most general rules of security apply:

  • Keep your software and internet connected devices updated.
  • Only download apps and other software from trusted sources.
  • Be careful about which sites you visit and which emails you open.
  • Never open unsolicited email attachments.
  • Use an up-to-date anti-malware solution.

Malwarebytes and ThreatDown products will detect the Warzone RAT as:

  • Trojan.MalPack.PNG.Generic
  • Trojan.MalPack.MSIL.Generic
  • Generic.Malware.AI.DDS
  • Malware.AI.2990474738
  • Trojan.MalPack

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.