Attackers Using Legitimate Remote Admin Tool in Multiple Threat Campaigns

Researchers from Cisco Talos say Breaking Securitys Remcos software allows attackers to fully control and monitor any Windows system from XP onward.

A tool sold by Germany-based firm Breaking Security as legitimate software for remotely managing Windows systems is instead being widely used by threat actors in multiple malicious campaigns.
Researchers at Cisco Talos say that Breaking Securitys Remcos software is a sophisticated Remote Access Trojan (RAT) that attackers can use to fully control and monitor any Windows computer from XP onward, including those running server editions of the operating system.
Breaking Security has said Remcos is only sold for legitimate uses and that it will revoke the license of any users caught using the software for malicious purposes. However, the product — which sells for anywhere from around $57 to $450 — is being widely advertised and sold on numerous hacking-related forums apparently with Breaking Securitys knowledge and, in some cases, active participation, Talos said in an
advisory
Wednesday.
Despite Breaking Securitys claims about revoking licenses, multiple unrelated adversaries are using Remcos in a variety of different threat campaigns, including one targeting defense contractors in Turkey, Talos said.
But Francesco Viotto, an individual who identified himself as an administrator and developer at Breaking Security, says that Talos analysis is incorrect, incomplete, and damaging. In emailed comments to Dark Reading, Viotto said Remcos — an acronym for Remote Control & Surveillance — is simply a powerful tool for carrying out multiple remote administration, remote support, surveillance, and remote proxy tasks.
Breaking Security has many customers, he said, including those in IT management and cybersecurity, as well as business owners and private users. Now, due to the power and versatility of this software, some users abused it by using it to control machines where they didn’t have ownership on, he wrote. This is explicitly forbidden by our Terms of Usage, which any user must accept prior to registering and buying on our site.
Viotto said each Remcos user has a unique license code that makes it easy to spot when the software has been installed on unauthorized systems. In the event Breaking Security discovers a user is abusing the software, the license can be immediately revoked, he explained, plus the company offers a dedicated email on its site that security researchers can use to report abuse. However, Talos never reported any such abuse prior to the report, Viotto said.
If the researchers who wrote, I sell Remcos to cybercriminals did their homework well, why didnt they mention all the anti-abuse code which I programmed into Remcos? he wrote. Why should I include these protection methods and ruin my business if these accusations are true?
Viotto added that if Cisco Talos had been really interested in stopping the malicious campaigns, the easiest method was to report the abuse to the company first.
Cisco Talos analysis has revealed several attempts by adversaries to install Remcos on various endpoints via different distribution methods, including specially crafted spear-phishing emails. Among the organizations that one attacker has targeted using Remcos are news agencies, diesel equipment manufacturers, HVAC service providers, and organizations within the energy and maritime sector.
Remcos is not the only ostensibly legitimate tool that attackers can obtain from Breaking Security.
The firm also offers an encryption tool called Octopus Protector that attackers can use to hide malware from threat detection tools; a keylogger for capturing and transmitting keystrokes on infected systems; a mass-mailing tool for sending spam; and a DynDNS service for post-compromise command and control. The firm even has a YouTube video on its site showing potential buyers how they can use the Octopus Protector to bypass antimalware tools.
Breaking Securitys portfolio of products and services, when combined with Remcos, gives attackers all the tools required to build and maintain a potentially illegal botnet, Cisco Talos said.
From a functionality and use case standpoint, Remcos is a fairly standard-issue RAT. What makes the tool interesting is how it is being openly sold as a legitimate tool for remote administration of Windows systems, says Craig Williams, director of outreach with Talos.
The fact that [Breaking Securitys] business model involves openly selling tools which appear to be widely used by malware authors is fairly unusual, he says.
There have been other instances where someone has openly advertised and sold malware under the guise of it being a legitimate tool, but those have been reasonably rare. Gray area software is something to be concerned about, Williams says.
Arguably, tools such as Remcos can have a legitimate purpose, which is possibly why Breaking Security is selling it openly. If someone wanted to monitor and keylog a computer remotely with binaries that evaded antivirus through a DynDNS C2 mechanism for legal purposes, this may be useful, Williams says.
The tool is especially useful if the initial install vector needed to be a phishing email, he notes. But, otherwise, few other legitimate use cases for the tool appear to exist.
Businesses like Breaking Security highlight the reasons why one should never buy so-called administrative tools from questionable companies, Williams said.
To assist organizations that may have become victims of Remcos, Talos is providing an open source tool capable of extracting the C2 server address and other information needed to block the threat, he adds.
Related Content:
Kronos Banking Trojan Resurfaces
Banking Botnet Operators Strike Profit-Sharing Partnership
Cybercrime Is Skyrocketing as the World Goes Digital
9 Banking Trojans & Trends Costing Businesses in 2017

Learn from the industrys most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for
more info
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Using Legitimate Remote Admin Tool in Multiple Threat Campaigns