U.S. law enforcement has been alerted to the use of the Remcos RAT in multiple global hacking campaigns, according to Cisco’s Talos Security Intelligence and Research Group.
The ads say Remcos Remote Access Tool is legal IT management software. But the RAT allows a user to sneak malware by security products and then secretly surveil a targeted computer. Remcos itself is sold by a German-registered company, Breaking Security, that markets it as a legitimate way to remotely access computers. However, the software has been spotted in hacking campaigns targeting defense contractors in Turkey, news agencies, diesel equipment manufacturers, airlines and energy sector companies.
“What we found here is a piece of software being used by bad guys in a lot of different places,” Cisco Talos director Craig Williams told CyberScoop. “They sell a crypter attempting to make the malware undetectable, a keylogger payload, a mass mailer to mail it out and they even have a dynamic DNS command and control system. While one could it argue it’s for lawful purposes, it seems to be set up to bypass security devices and evade detection.”
Talos outlined a newly discovered phishing campaign where the attacker pretends to be a Turkish government agency within that country’s Ministry of Finance.
With malicious Microsoft Office documents attached to the email, a tiny embedded executable downloads Remcos and infects the victim’s machine. With that one click, the hacker can then completely monitor and control the target machine include monitor keystrokes, take screenshots and execute code.
On Wednesday, Talos published an automatic decoder script allowing anyone to process the malware, extract the command and control server addresses and other key information from Remcos in order to block the malware. Williams said his team has seen “hundreds of instances of this malware” used in targeted attacks.
Here’s the product’s slickly produced logo:
The Remcos developer goes by the name Viotto. Cisco Talos said nobody from their team had reached out to Viotto prior to the publication of their report. In response to questions from CyberScoop, Viotto said the company has legal customers “ranging from IT management, cybersecurity, business owners, private users, etc.” No specific customers were offered up.
Although “due to the power and versatility of this software, some users abused it,” Viotto said Remcos actively revokes the license of any user found to be violating their terms of usage or the law. No researcher had emailed firstname.lastname@example.org to alert the company to problems, he said.
“While the organization that sells Remcos claims that the application is only for legal use, our research indicates it is still being used extensively by malicious attackers, as well,” Williams said. “In some cases, attackers are strategically targeting victims to attempt to gain access to organizations that operate as part of the supply chain for various critical infrastructure sectors.”
Annoyed with the accusations, Viotto pointed to “anti-abuse code” programmed into Remcos that would allow him stop any Remcos-fueled campaign “within 10 minutes.”
Remcos is not the first tool that’s marketed as legitimate but leveraged as a hacker’s Swiss Army Knife. Most notable is the Blackshades RAT, a popular Remote Access Tool developed and that was sold by an American man named Michael Hogue. Inexpensive and simple to use, Blackshades was marketed as a “remote access tool” but was sold, with a wink and nod, on websites like HackForums. Blackshades generated over $350,000 in sales and was used by the Syrian government during the early years of that country’s civil war. Hogue was sentenced to five years probation for selling his allegedly legitimate software for its true purpose: Hijacking targeted computers and committing credit card fraud.
Remcos is also advertised on HackForums but Viotto argues that it makes sense for him to be there, a nexus of potential customers, employers and skilled developers.
“It is like opening a shop in a big city, you can find any kind of people, good and bad,” Viotto said.
But the accusations of wrongdoing by Remcos users are not new. The cybersecurity firm Fortinet published research being used by criminals in 2017, RiskIQ outted a Remcos-powered phishing campaign earlier this year. As early as 2016, U.S. authorities called Remcos malware due to its prevalence in hacking campaigns.
The legality of Remcos itself is one thing. The repeated and unabated use of Remcos by profit-driven cybercriminals is beyond question.
Williams and the Talos team connected Remcos with the name Francesco Viotto, which was found from the WHOIS information from one of the associated domains. It’s not clear if the name is legitimate but the name is used on vitto-security.net, a domain used for nearly a decade and has ties to Remcos. By using Archive.org, it’s possible to see the page as it existed in 2010 when the author laid out his biography: Born in 1990, he began hacking in 2007 where he used and then built infamous malware like Poision Ivy and Bifrost.
Remcos is one of two major RATs sold recently on HackForums. The other is NetWire, another slickly-marketed RAT that’s been in wide use by global cybercriminals since 2012.