Attackers Using 'Legitimate' Remote Admin Tool in Multiple Threat Campaigns
Researchers from Cisco Talos say Breaking Security's Remcos software allows attackers to fully control and monitor any Windows system from XP onward.
August 22, 2018
A tool sold by Germany-based firm Breaking Security as legitimate software for remotely managing Windows systems is instead being widely used by threat actors in multiple malicious campaigns.
Researchers at Cisco Talos say that Breaking Security's Remcos software is a sophisticated Remote Access Trojan (RAT) that attackers can use to fully control and monitor any Windows computer from XP onward, including those running server editions of the operating system.
Breaking Security has said Remcos is only sold for legitimate uses and that it will revoke the license of any users caught using the software for malicious purposes. However, the product — which sells for anywhere from around $57 to $450 — is being widely advertised and sold on numerous hacking-related forums apparently with Breaking Security's knowledge and, in some cases, active participation, Talos said in an advisory Wednesday.
Despite Breaking Security's claims about revoking licenses, multiple unrelated adversaries are using Remcos in a variety of different threat campaigns, including one targeting defense contractors in Turkey, Talos said.
But Francesco Viotto, an individual who identified himself as an administrator and developer at Breaking Security, says that Talos' analysis is incorrect, incomplete, and damaging. In emailed comments to Dark Reading, Viotto said Remcos — an acronym for Remote Control & Surveillance — is simply a powerful tool for carrying out multiple remote administration, remote support, surveillance, and remote proxy tasks.
Breaking Security has many customers, he said, including those in IT management and cybersecurity, as well as business owners and private users. "Now, due to the power and versatility of this software, some users abused it by using it to control machines where they didn’t have ownership on," he wrote. "This is explicitly forbidden by our Terms of Usage, which any user must accept prior to registering and buying on our site."
Viotto said each Remcos user has a unique license code that makes it easy to spot when the software has been installed on unauthorized systems. In the event Breaking Security discovers a user is abusing the software, the license can be immediately revoked, he explained, plus the company offers a dedicated email on its site that security researchers can use to report abuse. However, Talos never reported any such abuse prior to the report, Viotto said.
"If the researchers who wrote, 'I sell Remcos to cybercriminals' did their homework well, why didn't they mention all the anti-abuse code which I programmed into Remcos?" he wrote. "Why should I include these protection methods and ruin my business if these accusations are true?"
Viotto added that if Cisco Talos had been really interested in stopping the malicious campaigns, the easiest method was to report the abuse to the company first.
Cisco Talos' analysis has revealed several attempts by adversaries to install Remcos on various endpoints via different distribution methods, including specially crafted spear-phishing emails. Among the organizations that one attacker has targeted using Remcos are news agencies, diesel equipment manufacturers, HVAC service providers, and organizations within the energy and maritime sector.
Remcos is not the only ostensibly legitimate tool that attackers can obtain from Breaking Security.
The firm also offers an encryption tool called Octopus Protector that attackers can use to hide malware from threat detection tools; a keylogger for capturing and transmitting keystrokes on infected systems; a mass-mailing tool for sending spam; and a DynDNS service for post-compromise command and control. The firm even has a YouTube video on its site showing potential buyers how they can use the Octopus Protector to bypass antimalware tools.
Breaking Security's portfolio of products and services, when combined with Remcos, gives attackers all the tools required to build and maintain a potentially illegal botnet, Cisco Talos said.
From a functionality and use case standpoint, Remcos is a fairly standard-issue RAT. What makes the tool interesting is how it is being openly sold as a legitimate tool for remote administration of Windows systems, says Craig Williams, director of outreach with Talos.
"The fact that [Breaking Security's] business model involves openly selling tools which appear to be widely used by malware authors is fairly unusual," he says.
There have been other instances where someone has openly advertised and sold malware under the guise of it being a legitimate tool, but those have been reasonably rare. "Gray area software is something to be concerned about," Williams says.
Arguably, tools such as Remcos can have a legitimate purpose, which is possibly why Breaking Security is selling it openly. "If someone wanted to monitor and keylog a computer remotely with binaries that evaded antivirus through a DynDNS C2 mechanism for legal purposes, this may be useful," Williams says.
The tool is especially useful if the initial install vector needed to be a phishing email, he notes. But, otherwise, few other legitimate use cases for the tool appear to exist.
Businesses like Breaking Security highlight the reasons why one should never buy so-called "administrative tools" from questionable companies, Williams said.
To assist organizations that may have become victims of Remcos, Talos is providing an open source tool capable of extracting the C2 server address and other information needed to block the threat, he adds.
Related Content:
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.
About the Author
You May Also Like