Cisco Talos threat researchers discovered malware campaigns using Remcos, a remote access tool (RAT), being sold online by a company called Breaking Security.
The company claims it will only sell the software for legal uses. But the RAT gives buyers everything they need to build a botnet and can be used to control and monitor Windows operating systems.
A RAT is a piece of software used to remotely access or control a computer. While this type of software can be used for legitimate purposes, it can also be used by an attacker to access systems without the victim’s knowledge.
Alongside Remcos, Breaking Security sells a slew of other nefarious products, according to a Talos blog post. This includes a cryptor designed to allow malicious software to bypass detection by anti-malware products, a keylogger that can be used to record and send the keystrokes made on an infected system, a mass mailer that can send large volumes of spam emails, and a DynDNS service for post-compromise command and control (C2) communications.
The company’s website also includes a YouTube video with instructions on how to use the cryptor — dubbed Octopus Protector — to bypass antivirus tools.
“This is what we call gray-area software,” said Craig Williams, director of outreach for Cisco Talos. “We see this type of thing every few years: widely distributing a software as not malware but it meets almost, if not all, criteria for malware. We would equate this to exploit kits. If someone isn’t smart enough to build their own botnet, they can purchase a botnet kit.”
Talos researchers tied the company to an individual who says he lives in Italy. He’s also selling and advertising Remcos on several hacking forums, which indicates that other hackers are likely using the tool in a variety of different attacks. Additionally, Talos discovered instances in which attackers are using Remcos to gain access to organizations that are part of the supply chain for critical infrastructure.
Williams said Cisco notified international law enforcement agencies about Breaking Security and the RAT. Talos also released a free decoder script that can extract the C2 server addresses and other information from the Remcos binary.