Cisco Links Remote Access Tool Remcos to Cybercriminal Underground

Questions are being raised about whether remote-access and testing tools from a mysterious company called Breaking Security are made and sold by cyber criminals, after the tools have been widely adopted as a turnkey solution for setting up and running botnets, according to Cisco Talos.

Security researchers said they’ve observed “multiple campaigns” using the Remcos remote access tool (RAT) from Breaking Security alongside other software from the company–such as the Octopus Protector crypto–to build and maintain botnets, according to a blog post by threat researcher Edmund Brumaghin.

Cisco Talos has seen a number of attempts to install the Remcos RAT on various endpoints, with many of these campaigns using different methods to avoid detection, Brumaghin outlined in his post.

Researchers believe that multiple unrelated actors are using Remcos, including an attacker that was found earlier this year to be targeting defense contractors in Turkey who is still operating and targeting other very specific organizations. These include international news agencies; diesel equipment manufacturers; and service providers operating within the maritime and energy sector, he said.

“In all of the observed campaigns, the attack begins with specially crafted spear-phishing emails written in Turkish,” Brumaghin wrote. “The emails appear as if they were sent from a Turkish government agency and purport to be related to tax reporting for the victim’s organization.”

There are also campaigns–which typically have attached to the emails Microsoft Office documents such as Excel spreadsheets and Word document– targeting English- and Polish-speaking users, he said.The macros in the malicious attached files contain a small executable that is embedded into the document in the form of a series of arrays, Brumaghin wrote.

“When executed, the macros reconstruct the executable, save it to a specific location on the system and execute it,” he explained. “The extracted executable is simple and functions as the downloader for the Remcos malware. It is a very basic program and is used to retrieve Remcos from an attacker-controlled server and execute it, thus infecting the system.”

[Related coverage: Cisco warns of Internet of Things, Supply Chain Risk]

While the file location specified changes across malicious documents, it includes directories commonly used by malware authors such as %APPDATA% and %TEMP%, Brumaghin said. The executable filename also changes across documents.

Popular with cyber-criminals

Though Breaking Security–which provides little information about its owners, developers or location–has maintained publicly it only sells the software for legitimate uses, its use by malware actors apparently is common enough to be suspicious. This issue recently was raised in an article on the KrabsonSecurity blog, and seems reinforced by the Cisco Talos findings.

The KrabsonSecurity article prompted a response by a Breaking Security representative with the user name “Viotto,” which also is the name of Breaking Security’s key logger product.

Viotto defended Remcos’ legitimacy. In fact, the company said it will revoke licenses for users not following their EULA, the user wrote.”We don’t allow malicious usage, and this is why … the customer license is stored in the Remcos agent, and can be easily retrieved using the -l command,” Viotto wrote. “Any time we get a report of someone abusing our software and not using it for legal means, we can promptly check and make his copy unusable anytime. We have a dedicated email just for abuse reports: abuse@breakingsecurity.net.”

Still, Remcos and related tools do seem to be a pretty handy for people who want to develop botnets using spear-phishing campaigns. Even the company has demonstrated this in a YouTube video available on the Breaking Security channel that shows the tool’s ability to facilitate the bypass of several antivirus protections.

Breaking Security also offers other seemingly cyber-criminal-friendly products, including the aforementioned keylogger that can be used to record and send the keystrokes made on an infected system; a mass mailer that can be used to flood inboxes with spam emails; and a DynDNS service that can be leveraged for post-compromise command and control (C2) communications.

“These tools, when combined with Remcos, provide all the tools and infrastructure needed to build and maintain a botnet,” Brumaghin noted in his post.

Mystery company?

Breaking Security maintains an air of secrecy on its website, where there is no mention of the location of the company’s offices or the names of executives or staff. A VAT number on the site indicates that the company is registered in Germany, which, coincidentally or not, is one country that does not allow people to look up the names and addresses of companies or their owners on the EC website for validating VATs, Brumaghin said.

“Because Breaking Security was registered in Germany, we were unable to identify the name and address of the individual behind this company,” he said.

However, after some investigating, Cisco Talos tied Remcos and the user name “Viotto” to hacking websites and forums on which the software is sold, raising the air of suspicion around the company’s assertion its tools are for legitimate purposes only.

Remcos’ prices per license range from €58 to €389, and customers can pay for the RAT using a variety of digital currencies. Once purchased, the Remcos RAT can be used to fully control and monitor any Windows operating system, from Windows XP and all versions thereafter, including server editions.

To help people who became victims of a harmful use of Remcos, Talos is providing a decoder script that can extract the C2 server addresses and other information from the Remcos binary.

The company also recommends a host of other Cisco software that can be installed to protect systems against botnets developed by the tools, including Advanced Malware Protection, Cisco Cloud Web Security, Email Security and Cisco’s range of Network Security appliances.