German Police Raid OmniRAT Developer and Seize Digital Assets
The German police yesterday raided the house of the developer of OmniRAT and seized his laptop, computer and mobile phones probably as part of an investigation into a recent cyber attack, a source told The Hacker News.
OmniRAT made headlines in November 2015 when its developer launched it as a legitimate remote administration tool for IT experts and companies to manage their devices with explicit permissions.
Available between $25 and $100, OmniRAT quickly became one of the most popular remote administration tools, allowing users to monitor Android, Windows, Linux, and Mac devices remotely and access every available information on them.
However, just like any other remote administration tool like DroidJack, DarkComet, AndroRAT, and njRAT, some customers of OmniRAT also used the tool for illicit purposes, especially because it was available at a far cheaper price than other RATs in the market.
In one such event earlier this year, a group of hackers attempted to target several industries by exploiting an old remote code execution vulnerability (CVE-2016-7262) in Microsoft Excel that eventually installed OmniRAT on targeted computers.
According to a security researcher who reported this incident in January, the attackers used a malformed Excel sheet disguising as a business profile of “Kuwait Petroleum Corporation (KPC)” to lure its victims into opening the attachment.
Though Kuwait Petroleum Company was not itself targeted by the malware, another anonymous source told The Hacker News that almost two months ago, lawyers representing the oil company started emailing the domain registrar from where the official domain of OmniRAT was registered and demanded them to disclose the identity of the domain owner, citing whois-related GDPR and ICANN rules.
The content on the official OmniRAT website has been unavailable since last few days, which has probably been taken down by its developer to prevent its domain registrar from disclosing his identity to the company.
The developer of OmniRAT reportedly resides in Germany, but his/her identity is still unknown to the public.
At this moment, it’s not clear if the raid by German police is linked to the efforts made by Kuwait Oil Company or involves some separate criminal case against him.
It’s also possible that the German police could be behind the list and identity of all the customers who purchased OmniRAT in the last four years to crack down on cybercriminals abusing the tool.
In a similar operation in 2015, law enforcement agencies in several countries raided homes and arrested suspected users of DroidJack smartphone malware.
Though creating malware or hacking tool is illegal in Germany, like many other countries, it also depends upon how the tool has been advertised.
Because just like penetration testing tools, remote administration tools are also a two-sided sword and can be used for both legal and illegal purposes.
In one case, it was reported that two years ago a group of hackers were using OmniRAT to spy on Islamic State (ISIS) members and supporters by distributing its Android version via the popular Telegram messaging app.
A disclaimer, as shared below, posted on the official OmniRAT website also said that the tool is not for hacking and that customers are themselves liable for any misuse.
“OmniRAT is created by German authors, and the servers are also located in Germany. Therefore the German law applies for us. OmniRAT is a remote administration tool (rat). It is not – as many believe – a trojan neither made for hacking; therefore, it is not illegal and does not violate the law. The usage, however, is only licit on devices you own or have permission for. This is also stated inside our terms of service. By purchasing and using OmniRAT, you obey the above.”
Although the OmniRAT developer did not seem to have directly encouraged his customers to use the tool for spying on someone, late last year, he posted description and new features of his tool on an infamous hacking forum, a website which is famous among newbies for finding hacking tools in the market.
On the same hacking forum, in April this year, he announced the shutdown of OmniRAT, saying “unfortunately due to the pressure of the government and the cybercrime division OmniRAT has to be shut down. This will take immediate effect.”
However, since the working of the tool does not directly rely or share collected device data with the OmniRAT server, users who already have access to the remote administration tool can still continue using it for whatever purpose they want.
The Hacker News is keeping an eye on every possible development in this story and will update our readers as soon as we learn more about it.