Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/22/2018
12:01 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Using 'Legitimate' Remote Admin Tool in Multiple Threat Campaigns

Researchers from Cisco Talos say Breaking Security's Remcos software allows attackers to fully control and monitor any Windows system from XP onward.

A tool sold by Germany-based firm Breaking Security as legitimate software for remotely managing Windows systems is instead being widely used by threat actors in multiple malicious campaigns.

Researchers at Cisco Talos say that Breaking Security's Remcos software is a sophisticated Remote Access Trojan (RAT) that attackers can use to fully control and monitor any Windows computer from XP onward, including those running server editions of the operating system.

Breaking Security has said Remcos is only sold for legitimate uses and that it will revoke the license of any users caught using the software for malicious purposes. However, the product — which sells for anywhere from around $57 to $450 — is being widely advertised and sold on numerous hacking-related forums apparently with Breaking Security's knowledge and, in some cases, active participation, Talos said in an advisory Wednesday.

Despite Breaking Security's claims about revoking licenses, multiple unrelated adversaries are using Remcos in a variety of different threat campaigns, including one targeting defense contractors in Turkey, Talos said.

But Francesco Viotto, an individual who identified himself as an administrator and developer at Breaking Security, says that Talos' analysis is incorrect, incomplete, and damaging. In emailed comments to Dark Reading, Viotto said Remcos — an acronym for Remote Control & Surveillance — is simply a powerful tool for carrying out multiple remote administration, remote support, surveillance, and remote proxy tasks.

Breaking Security has many customers, he said, including those in IT management and cybersecurity, as well as business owners and private users. "Now, due to the power and versatility of this software, some users abused it by using it to control machines where they didn’t have ownership on," he wrote. "This is explicitly forbidden by our Terms of Usage, which any user must accept prior to registering and buying on our site."

Viotto said each Remcos user has a unique license code that makes it easy to spot when the software has been installed on unauthorized systems. In the event Breaking Security discovers a user is abusing the software, the license can be immediately revoked, he explained, plus the company offers a dedicated email on its site that security researchers can use to report abuse. However, Talos never reported any such abuse prior to the report, Viotto said.

"If the researchers who wrote, 'I sell Remcos to cybercriminals' did their homework well, why didn't they mention all the anti-abuse code which I programmed into Remcos?" he wrote. "Why should I include these protection methods and ruin my business if these accusations are true?"

Viotto added that if Cisco Talos had been really interested in stopping the malicious campaigns, the easiest method was to report the abuse to the company first.

Cisco Talos' analysis has revealed several attempts by adversaries to install Remcos on various endpoints via different distribution methods, including specially crafted spear-phishing emails. Among the organizations that one attacker has targeted using Remcos are news agencies, diesel equipment manufacturers, HVAC service providers, and organizations within the energy and maritime sector.

Remcos is not the only ostensibly legitimate tool that attackers can obtain from Breaking Security.

The firm also offers an encryption tool called Octopus Protector that attackers can use to hide malware from threat detection tools; a keylogger for capturing and transmitting keystrokes on infected systems; a mass-mailing tool for sending spam; and a DynDNS service for post-compromise command and control. The firm even has a YouTube video on its site showing potential buyers how they can use the Octopus Protector to bypass antimalware tools.

Breaking Security's portfolio of products and services, when combined with Remcos, gives attackers all the tools required to build and maintain a potentially illegal botnet, Cisco Talos said.

From a functionality and use case standpoint, Remcos is a fairly standard-issue RAT. What makes the tool interesting is how it is being openly sold as a legitimate tool for remote administration of Windows systems, says Craig Williams, director of outreach with Talos.

"The fact that [Breaking Security's] business model involves openly selling tools which appear to be widely used by malware authors is fairly unusual," he says.

There have been other instances where someone has openly advertised and sold malware under the guise of it being a legitimate tool, but those have been reasonably rare. "Gray area software is something to be concerned about," Williams says.

Arguably, tools such as Remcos can have a legitimate purpose, which is possibly why Breaking Security is selling it openly. "If someone wanted to monitor and keylog a computer remotely with binaries that evaded antivirus through a DynDNS C2 mechanism for legal purposes, this may be useful," Williams says.

The tool is especially useful if the initial install vector needed to be a phishing email, he notes. But, otherwise, few other legitimate use cases for the tool appear to exist.

Businesses like Breaking Security highlight the reasons why one should never buy so-called "administrative tools" from questionable companies, Williams said.

To assist organizations that may have become victims of Remcos, Talos is providing an open source tool capable of extracting the C2 server address and other information needed to block the threat, he adds.

Related Content:

   

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.