OmniRAT developer was surprised by a visit from the German police, which confiscated digital footprint devices
OmniRAT software is a Remote Access Tool that was first spotted being used for malicious activities in November 2015 in Germany. The application was being sold online for a mere $25-$100 online, which only encouraged cybercriminals to misuse it for illegitimate spying activities on Windows, Linux, Mac, and Android devices.
Advertised as a parental control tool for remote administration, OmniRAT is often distributed with the help of malicious SMS, phishing emails, and other methods. Once installed, the app allows remote access to the device, without the owner knowing that excessive spying is taking place. It is not the first instance of remote access tools being misused – DroidJack, AndroRAT, DarkComet, and many others.
The house of OmniRAT developer was recently raided by German law enforcement and computing devices like laptops and phones confiscated for an alleged checkup. The action comes due to recent cyber attacks that were closely related to the misuse of the tool, and the developer is suspected in taking part.
OmniRAT software spread via malicious Excel file in the past
In one of the instances where the remote access tool was used to illegally spy on users occurred in January this year. Unknown hackers launched a cyber attack campaign that targeted numerous organizations with the help of CVE-2016-7262 remote code execution vulnerability in a Microsoft Excel file, which consequently installed the RAT on the device.
The trickiest part of this attempt was that hackers distributed the malicious Excel document that allegedly contained a business profile of a well-known oil company KPC (Kuwait Petroleum Corporation). Although the company itself was not involved in this incident, KPC provided demands to identify the domain owner of the omnirat.eu, a site used to distribute the tool.
Another event that involved OmniRAT surfaced in 2017 when cybersecurity experts uncovered a group of unknown hackers who used the application to spy on a terrorist group of Islamic State (also known as ISIS) and distributed the malicious payload through the Telegram messaging application.
While the developer denies involvement in cybercriminal activities, a post on hacking forums points to the other direction
An official has posted on the official website of OmniRAT that this tool is for legitimate use only and every user should obey such rules, however, it seems that these rules were not minded by everyone:
The usage, however, is only licit on devices you own or have permission for. This is also stated inside our terms of service. By purchasing and using OmniRAT, you obey the above.
Nevertheless, the facts show that the developer did indeed want to sell the OmniRAT for cybercriminals, as he or she posted the well-known underground forum, whose visitors that are novices in the illegal industry of hacking. The features described are as follows:
- Full support for Mac OS and Linux.
- Full support for Android 9.
- A user-friendly GUI.
- Improvements on the ID generation.
- Easy-handling encryption.
Due to all the events surrounding OmniRAT lately, the official web page is disabled at the moment. This might have been done by the official developer not wanting to reveal his/her identity to Kuwait Oil Company.
Currently, it is not known whether or not the attempts of Kuwait Oil Company to disclose the OmniRAT author were related to the raid of the German police force.
However, even though the German police might have the list of all hackers that were trying to misuse this tool, the crooks can still continue using the software for malicious purposes until they are caught.