美国司法部拆除战区RAT(远程访问木马)基础设施，逮捕关键运营者

The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT.

美国司法部（DoJ）于星期五宣布查封了用于出售远程访问特洛伊木马（RAT）的在线基础设施，该木马被称为战区RAT。

The domains – www.warzone[.]ws and three others – were "used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers," the DoJ said.

这些域名 - www.warzone[.]ws和其他三个 - 被"用于销售供网络犯罪分子秘密访问和窃取受害者计算机数据的计算机恶意软件"，DoJ表示。

Alongside the takedown, the international law enforcement effort has arrested and indicted two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and helping other cybercriminals use the RAT for malicious purposes.

与此同时，国际执法行动逮捕并起诉了马耳他和尼日利亚的两名个体，因其参与销售和支持该恶意软件并帮助其他网络犯罪分子使用该RAT进行恶意用途。

The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) have been charged with unauthorized damage to protected computers, with the former also accused of "illegally selling and advertising an electronic interception device and participating in a conspiracy to commit several computer intrusion offenses."

被告丹尼尔·梅利（27岁）和普林斯·奥尼奥兹里·奥迪纳卡奇（31岁）被指控未经授权对受保护的计算机造成损害，前者还被指控"非法销售和宣传电子拦截设备，并参与了一系列计算机侵入罪的阴谋"。

Meli is alleged to have offered malware services at least since 2012 through online hacking forums, sharing e-books, and helping other criminals use RATs to carry out cyber attacks. Prior to Warzone RAT, he had sold another RAT known as Pegasus RAT.

据称，梅利至少自2012年以来通过在线黑客论坛提供恶意软件服务，分享电子书，并帮助其他犯罪分子使用RAT进行网络攻击。在战区RAT之前，他曾销售另一种被称为Pegasus RAT的RAT。

Like Meli, Odinakachi also provided online customer support to purchasers of Warzone RAT malware between June 2019 and no earlier than March 2023. Both individuals were arrested on February 7, 2024.

与梅利一样，奥迪纳卡奇还在2019年6月至2023年3月期间为购买战区RAT恶意软件的用户提供在线客户支持。两人于2024年2月7日被逮捕。

Warzone RAT, also known as Ave Maria, was first documented by Yoroi in January 2019 as part of a cyber attack targeting an Italian organization in the oil and gas sector towards the end of 2018 using phishing emails bearing bogus Microsoft Excel files exploiting a known security flaw in the Equation Editor (CVE-2017-11882).

Warzone RAT，又称为Ave Maria，是由Yoroi于2019年1月首次记录的，作为2018年底利用钓鱼电子邮件攻击意大利石油和天然气部门组织的一部分，利用伪装成微软Excel文件的已知安全漏洞（CVE-2017-11882）。

Sold under the malware-as-a-service (Maas) model for $38 a month (or $196 for a year), it functions as an information stealer and facilitates remote control, thereby allowing threat actors to commandeer the infected hosts for follow-on exploitation.

以每月38美元（或年费196美元）的Malware-as-a-Service（MaaS）模式出售，它作为信息窃取者并促进远程控制，从而使威胁行为者能够指挥感染的主机进行后续利用。

Some of the notable features of the malware include the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and activate the computer's webcams without the victim's knowledge or consent.

该恶意软件的一些显着特点包括浏览受害者文件系统的能力，截取屏幕截图，记录按键，窃取受害者用户名和密码，并在受害者不知情或未经同意的情况下激活计算机的网络摄像头。

"Ave Maria attacks are initiated via phishing emails, once the dropped payload infects the victim's machine with the malware, it establishes communication with the attacker's command-and-control (C2) server on non-HTTP protocol, after decrypting its C2 connection using RC4 algorithm," Zscaler ThreatLabz said in early 2023.

“Ave Maria攻击是通过钓鱼电子邮件发起的，一旦投放的恶意软件载荷感染了受害者的计算机，它将在非HTTP协议上与攻击者的命令和控制（C2）服务器建立通信，在使用RC4算法解密其C2连接后，" Zscaler ThreatLabz在2023年初表示。

On one of the now-dismantled websites, which had the tagline "Serving you loyally since 2018," the developers of the C/C++ malware described it as reliable and easy to use. They also provided the ability for customers to contact them via email (solmyr@warzone[.]ws), Telegram (@solwz and @sammysamwarzone), Skype (vuln.hf), as well as via a dedicated "client area."

在其中一个现已拆除的网站上，其标语是“自2018年以来一直为您服务”，C/C++恶意软件的开发者将其描述为可靠且易于使用的软件。他们还为客户提供通过电子邮件（solmyr@warzone[.]ws），Telegram（@solwz和@sammysamwarzone），Skype（vuln.hf）以及专用的“客户区域”）联系的能力。

An additional contact avenue was Discord, where the users were asked to get in touch with an account with the ID Meli#4472. Another Telegram account linked to Meli was @daniel96420.

另一个联系途径是Discord，用户被要求与帐户Meli#4472联系。与Meli相关的另一个Telegram帐户是@daniel96420。

Outside of cybercrime groups, the malware has also been put to use by several advanced threat actors like YoroTrooper as well as those associated with Russia over the past year.

除了网络犯罪团体外，过去一年中还有一些高级威胁行为者（如YoroTrooper以及与俄罗斯有关的一些人）也利用了这种恶意软件。

The DoJ said the U.S. Federal Bureau of Investigation (FBI) covertly purchased copies of Warzone RAT and confirmed its nefarious functions. The coordinated exercise involved assistance from authorities in Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, and Europol.

DoJ表示，美国联邦调查局（FBI）秘密购买了战区RAT的副本并确认了其邪恶的功能。这次协调的行动得到了澳大利亚、加拿大、克罗地亚、芬兰、德国、日本、马耳他、荷兰、尼日利亚、罗马尼亚和欧洲刑警组织的协助。

原文始发于微信公众号（知机安全）：美国司法部拆除战区RAT(远程访问木马)基础设施，逮捕关键运营者