Malware News New Remcos RAT Available for Sale on Underground Hacking Forums

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
An Italian malware developer by the name of Viotto has published his latest creation, the Remcos RAT (Remote Access Trojan), which he's selling on underground hacking forums for a price that varies from $58 to $389, payable in various anonymous digital currencies.

According to a listing on one of the hacking forums, the Remcos RAT was released towards the end of July, and has already reached version 1.3. Viotto says that the Remcos client is coded in C++, while the C&C server component runs on Delphi.

Remcos includes a keylogger, password dumper, and more
Remcos is offered as a free download with limited features, but the Pro version provides access to all the RAT's features.

This includes the ability to take screenshots of infected computers, log keystrokes offline or in real time, record content via the device's microphone, and record content via the device's camera.

Additionally, Remcos also includes a password dumping component, which all professional RATs seem to have these days. Viotto claims that his RAT can dump passwords from applications such as Internet Explorer, Firefox, Chrome, Safari, Opera, Pidgin, Trillian, Miranda, and ICQ,.

An analysis by Symantec, who detects the RAT as Remvio, reveals that this password dumper is also effective against Digsby, Paltalk, and Windows MSN/Live Messenger, but not Safari as Viotto claims.

Remcos can target only Windows PCs
Remcos works on all Windows versions from XP and higher, on both 32-bit and 64-bit platforms. All data stolen from infected devices is sent encrypted via HTTPS to the C&C server.
Probably the most dangerous Remcos feature is its ability to queue operations. Users can create a list of operations for the RAT to carry out, and Remcos will execute them in the desired order when the victim comes online.

Remcos RAT interface
To avoid detection, Remcos uses anti-analysis techniques that allow it to detect when it's being executed on VMs and with the presence of reverse engineering tools. The RAT will shut down and delete itself. Besides encrypting the C&C communications, Remcos also encrypts local logs.

Remcos buyers get a builder which allows them to compile their own custom version of the RAT, which they can distribute via spear-phishing emails or drive-by downloads.

This builder lets users customize the port number through which data is exfiltrated and the registry names it uses to achieve device persistence.

Remcos author has a history of developing malware
Viotto, the 26-year-old behind the RAT, is also the author of other applications such as Octopus Crypter (code obfuscation utility to deter reverse engineering), the Poseidon Mailer (mass-mail client), Viotto Keylogger, and Viotto Binder, an application to bind two executables into one, ideal for packing malware into clean binaries.

Viotto also uses other names to sell his malware. You'll also find him online as "z3r0." A quick YouTube search for Remcos will bring up a few demos.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top