Cisco smells a RAT in Breaking Security's Remcos PC wrangler
Researchers claim pentesting software being used for botnets
Updated Cisco Talos says criminals are using one research company's testing tools to set up and run botnets.
A report released Wednesday by Talos researchers found that Breaking Security's Remcos remote control tool and Octopus Protector encryption utility, along with other Breaking Security tools, are being used in the wild to set up and maintain botnets.
While Breaking Security – which did not respond to a request for comment – maintains in its ToS that its products are only for legit purposes and it will revoke the license for anyone who misuses its products, Cisco Talos claims the tools can easily be used as malware and misuse of the software is rampant.
"While the organization that sells Remcos claims that the application is only for legal use, our research indicates it is still being used extensively by malicious attackers, as well," the report claims.
"In some cases, attackers are strategically targeting victims to attempt to gain access to organizations that operate as part of the supply chain for various critical infrastructure sectors."
Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the KremlinREAD MORE
Among the attacks Talos says it has spotted the software being used for targeted attacks on businesses in Turkey, Spain, Poland, and the UK, mostly hidden as email attachments within spear-phishing attempts.
Once installed, Remcos can be used to monitor user activity, including keystroke logging, remote screenshots and command execution.
Because of this, Talos says that it is classifying Remcos as a Remote Access Trojan (RAT) software and is distributing decoder script to help companies detect and remove the Remcos software from their systems. The researchers are also advising admins to screen for and treat a Remcos installation as they would any other trojan or piece of malware.
"Organizations should ensure that they are implementing security controls to combat Remcos, as well as other threats that are being used in the wild," the researchers write.
"Remcos is a robust tool that is being actively developed to include new functionality increasing what the attackers can gain access to. To combat this, organizations should continue to be aware of this threat, as well as others like this that may be circulated on the internet." ®
Updated to add
Remcos developer Francesco Viotto has been in touch to defend his software.
"We have many customers ranging from IT management [to] cybersecurity, business owners, private users, etc," he told The Register.
"Now, due to the power and versatility of this software, some users abused it, by using it to control machines where they didn’t have ownership on. This is explicitly forbidden by our terms of usage, which any user must accept prior to registering and buying on our site.
"We have many methods that help us ensure the legitimate usage of our software. In the case we find out that a user is abusing our software, we can revoke his license immediately. When license is revoked, the user is immediately blocked from using Remcos, even if he is using it in that moment. This means, if there is suspicious activity in progress, we can immediately block it.
"Also, each user has got its own unique license code, which gets printed onto Remcos. If a user installs Remcos in computers where he does not have ownership on, it is easy to check who is the responsible user."
If you see anyone misusing the tool, you should email abuse at breakingsecurity.net, Viotto added.