Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/22/2018
12:01 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Using 'Legitimate' Remote Admin Tool in Multiple Threat Campaigns

Researchers from Cisco Talos say Breaking Security's Remcos software allows attackers to fully control and monitor any Windows system from XP onward.

A tool sold by Germany-based firm Breaking Security as legitimate software for remotely managing Windows systems is instead being widely used by threat actors in multiple malicious campaigns.

Researchers at Cisco Talos say that Breaking Security's Remcos software is a sophisticated Remote Access Trojan (RAT) that attackers can use to fully control and monitor any Windows computer from XP onward, including those running server editions of the operating system.

Breaking Security has said Remcos is only sold for legitimate uses and that it will revoke the license of any users caught using the software for malicious purposes. However, the product — which sells for anywhere from around $57 to $450 — is being widely advertised and sold on numerous hacking-related forums apparently with Breaking Security's knowledge and, in some cases, active participation, Talos said in an advisory Wednesday.

Despite Breaking Security's claims about revoking licenses, multiple unrelated adversaries are using Remcos in a variety of different threat campaigns, including one targeting defense contractors in Turkey, Talos said.

But Francesco Viotto, an individual who identified himself as an administrator and developer at Breaking Security, says that Talos' analysis is incorrect, incomplete, and damaging. In emailed comments to Dark Reading, Viotto said Remcos — an acronym for Remote Control & Surveillance — is simply a powerful tool for carrying out multiple remote administration, remote support, surveillance, and remote proxy tasks.

Breaking Security has many customers, he said, including those in IT management and cybersecurity, as well as business owners and private users. "Now, due to the power and versatility of this software, some users abused it by using it to control machines where they didn’t have ownership on," he wrote. "This is explicitly forbidden by our Terms of Usage, which any user must accept prior to registering and buying on our site."

Viotto said each Remcos user has a unique license code that makes it easy to spot when the software has been installed on unauthorized systems. In the event Breaking Security discovers a user is abusing the software, the license can be immediately revoked, he explained, plus the company offers a dedicated email on its site that security researchers can use to report abuse. However, Talos never reported any such abuse prior to the report, Viotto said.

"If the researchers who wrote, 'I sell Remcos to cybercriminals' did their homework well, why didn't they mention all the anti-abuse code which I programmed into Remcos?" he wrote. "Why should I include these protection methods and ruin my business if these accusations are true?"

Viotto added that if Cisco Talos had been really interested in stopping the malicious campaigns, the easiest method was to report the abuse to the company first.

Cisco Talos' analysis has revealed several attempts by adversaries to install Remcos on various endpoints via different distribution methods, including specially crafted spear-phishing emails. Among the organizations that one attacker has targeted using Remcos are news agencies, diesel equipment manufacturers, HVAC service providers, and organizations within the energy and maritime sector.

Remcos is not the only ostensibly legitimate tool that attackers can obtain from Breaking Security.

The firm also offers an encryption tool called Octopus Protector that attackers can use to hide malware from threat detection tools; a keylogger for capturing and transmitting keystrokes on infected systems; a mass-mailing tool for sending spam; and a DynDNS service for post-compromise command and control. The firm even has a YouTube video on its site showing potential buyers how they can use the Octopus Protector to bypass antimalware tools.

Breaking Security's portfolio of products and services, when combined with Remcos, gives attackers all the tools required to build and maintain a potentially illegal botnet, Cisco Talos said.

From a functionality and use case standpoint, Remcos is a fairly standard-issue RAT. What makes the tool interesting is how it is being openly sold as a legitimate tool for remote administration of Windows systems, says Craig Williams, director of outreach with Talos.

"The fact that [Breaking Security's] business model involves openly selling tools which appear to be widely used by malware authors is fairly unusual," he says.

There have been other instances where someone has openly advertised and sold malware under the guise of it being a legitimate tool, but those have been reasonably rare. "Gray area software is something to be concerned about," Williams says.

Arguably, tools such as Remcos can have a legitimate purpose, which is possibly why Breaking Security is selling it openly. "If someone wanted to monitor and keylog a computer remotely with binaries that evaded antivirus through a DynDNS C2 mechanism for legal purposes, this may be useful," Williams says.

The tool is especially useful if the initial install vector needed to be a phishing email, he notes. But, otherwise, few other legitimate use cases for the tool appear to exist.

Businesses like Breaking Security highlight the reasons why one should never buy so-called "administrative tools" from questionable companies, Williams said.

To assist organizations that may have become victims of Remcos, Talos is providing an open source tool capable of extracting the C2 server address and other information needed to block the threat, he adds.

Related Content:

   

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.