Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/22/2018
12:01 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Using 'Legitimate' Remote Admin Tool in Multiple Threat Campaigns

Researchers from Cisco Talos say Breaking Security's Remcos software allows attackers to fully control and monitor any Windows system from XP onward.

A tool sold by Germany-based firm Breaking Security as legitimate software for remotely managing Windows systems is instead being widely used by threat actors in multiple malicious campaigns.

Researchers at Cisco Talos say that Breaking Security's Remcos software is a sophisticated Remote Access Trojan (RAT) that attackers can use to fully control and monitor any Windows computer from XP onward, including those running server editions of the operating system.

Breaking Security has said Remcos is only sold for legitimate uses and that it will revoke the license of any users caught using the software for malicious purposes. However, the product — which sells for anywhere from around $57 to $450 — is being widely advertised and sold on numerous hacking-related forums apparently with Breaking Security's knowledge and, in some cases, active participation, Talos said in an advisory Wednesday.

Despite Breaking Security's claims about revoking licenses, multiple unrelated adversaries are using Remcos in a variety of different threat campaigns, including one targeting defense contractors in Turkey, Talos said.

But Francesco Viotto, an individual who identified himself as an administrator and developer at Breaking Security, says that Talos' analysis is incorrect, incomplete, and damaging. In emailed comments to Dark Reading, Viotto said Remcos — an acronym for Remote Control & Surveillance — is simply a powerful tool for carrying out multiple remote administration, remote support, surveillance, and remote proxy tasks.

Breaking Security has many customers, he said, including those in IT management and cybersecurity, as well as business owners and private users. "Now, due to the power and versatility of this software, some users abused it by using it to control machines where they didn’t have ownership on," he wrote. "This is explicitly forbidden by our Terms of Usage, which any user must accept prior to registering and buying on our site."

Viotto said each Remcos user has a unique license code that makes it easy to spot when the software has been installed on unauthorized systems. In the event Breaking Security discovers a user is abusing the software, the license can be immediately revoked, he explained, plus the company offers a dedicated email on its site that security researchers can use to report abuse. However, Talos never reported any such abuse prior to the report, Viotto said.

"If the researchers who wrote, 'I sell Remcos to cybercriminals' did their homework well, why didn't they mention all the anti-abuse code which I programmed into Remcos?" he wrote. "Why should I include these protection methods and ruin my business if these accusations are true?"

Viotto added that if Cisco Talos had been really interested in stopping the malicious campaigns, the easiest method was to report the abuse to the company first.

Cisco Talos' analysis has revealed several attempts by adversaries to install Remcos on various endpoints via different distribution methods, including specially crafted spear-phishing emails. Among the organizations that one attacker has targeted using Remcos are news agencies, diesel equipment manufacturers, HVAC service providers, and organizations within the energy and maritime sector.

Remcos is not the only ostensibly legitimate tool that attackers can obtain from Breaking Security.

The firm also offers an encryption tool called Octopus Protector that attackers can use to hide malware from threat detection tools; a keylogger for capturing and transmitting keystrokes on infected systems; a mass-mailing tool for sending spam; and a DynDNS service for post-compromise command and control. The firm even has a YouTube video on its site showing potential buyers how they can use the Octopus Protector to bypass antimalware tools.

Breaking Security's portfolio of products and services, when combined with Remcos, gives attackers all the tools required to build and maintain a potentially illegal botnet, Cisco Talos said.

From a functionality and use case standpoint, Remcos is a fairly standard-issue RAT. What makes the tool interesting is how it is being openly sold as a legitimate tool for remote administration of Windows systems, says Craig Williams, director of outreach with Talos.

"The fact that [Breaking Security's] business model involves openly selling tools which appear to be widely used by malware authors is fairly unusual," he says.

There have been other instances where someone has openly advertised and sold malware under the guise of it being a legitimate tool, but those have been reasonably rare. "Gray area software is something to be concerned about," Williams says.

Arguably, tools such as Remcos can have a legitimate purpose, which is possibly why Breaking Security is selling it openly. "If someone wanted to monitor and keylog a computer remotely with binaries that evaded antivirus through a DynDNS C2 mechanism for legal purposes, this may be useful," Williams says.

The tool is especially useful if the initial install vector needed to be a phishing email, he notes. But, otherwise, few other legitimate use cases for the tool appear to exist.

Businesses like Breaking Security highlight the reasons why one should never buy so-called "administrative tools" from questionable companies, Williams said.

To assist organizations that may have become victims of Remcos, Talos is providing an open source tool capable of extracting the C2 server address and other information needed to block the threat, he adds.

Related Content:

   

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Botnet Infects Hundreds of Thousands of Websites
Robert Lemos, Contributing Writer,  10/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5144
PUBLISHED: 2020-10-28
SonicWall Global VPN client version 4.10.4.0314 and earlier allows unprivileged windows user to elevate privileges to SYSTEM through loaded process hijacking vulnerability.
CVE-2020-5145
PUBLISHED: 2020-10-28
SonicWall Global VPN client version 4.10.4.0314 and earlier have an insecure library loading (DLL hijacking) vulnerability. Successful exploitation could lead to remote code execution in the target system.
CVE-2020-27956
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
CVE-2020-27957
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
CVE-2020-16140
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.