Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service

Authorities Bust Accused Seller of Widely Used RAT Malware

2 Men Arrested in Malta, Nigeria for Hawking Malware on Hacking Forums Since 2012
Authorities Bust Accused Seller of Widely Used RAT Malware
Image: Shutterstock

Federal authorities have seized internet domains and arrested two men in Malta and Nigeria who they say served as sales and customer service reps for a dark web business that sold RAT malware to cybercriminals over a 12-year period, leading to the "takeover and infection of computers worldwide."

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

According to a U.S. Justice Department statement on Friday, authorities in Malta arrested Daniel Meli, 27, of Zabbar, Malta, on Wednesday at the DOJ's request. Meli, who made his initial appearance before a magistrate judge in Valletta, Malta, is facing charges from a federal grand jury indictment in the U.S. District Court for the Northern District of Georgia returned on Dec. 12, 2023, which accuses him of causing unauthorized damage to protected computers, illegally selling and advertising an electronic interception device, and participating in a conspiracy to commit several computer intrusion offenses.

Authorities said he marketed, sold and maintained two widely used strains of malware - Warzone RAT and an earlier version known as the Pegasus RAT - in online computer-hacking forums since at least 2012.

"Specifically, Meli allegedly assisted cybercriminals seeking to use RATs for malicious purposes and offered teaching tools for sale, including an eBook," the DOJ said. "He sold through an online criminal organization called Skynet-Corporation. He also provided online customer support to purchasers of both RATs."

Authorities in Boston seized and three related domains that "sold the Warzone remote access Trojan, which gives cybercriminals the ability to" browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and watch victims through their web cameras."

FBI agents in Massachusetts covertly bought and analyzed the Warzone RAT malware and confirmed its malicious capabilities, according to court documents.

Also arrested on Wednesday was Prince Onyeoziri Odinakachi, 31, of Nigeria, by the Port Harcourt Zonal Command of Nigeria's Economic and Financial Crimes Commission. A federal grand jury in the U.S. District Court for the District of Massachusetts on Jan. 30 indicted Odinakachi for conspiracy to commit multiple computer intrusion offenses, including obtaining authorized access to protected computers to obtain information and causing unauthorized damage to protected computers. The DOJ said that between June 2019 and March 2023, Odinakachi provided customers with online support for Warzone RAT.

The takedown encompassed an international law enforcement operation led by FBI special agents in Boston and Atlanta and coordinated through Europol. Law enforcement agencies in Canada, Croatia, Finland, Germany, the Netherlands and Romania helped secure the servers hosting the Warzone RAT infrastructure.

"Today's actions targeting the Warzone RAT infrastructure and personnel are another example of our tenacious and unwavering commitment to dismantling the malware tools used by cybercriminals," said Joshua S. Levy, the acting U.S. attorney for the District of Massachusetts.

About the Author

Cal Harrison

Cal Harrison

Editorial Director, ISMG

Harrison helps ISMG readers gain new perspectives on the latest cybersecurity trends, research and emerging insights. A 30-year veteran writer and editor, he has served as an award-winning print and online journalist, mass communication professor and senior digital content strategist for DXC Technology, where he led thought leadership, case studies and the Threat Intelligence Report for the Fortune 500 firm's global security, cloud and IT infrastructure practices.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.