14 DAY TRIAL // An Italian malware developer by the name of Viotto has published his latest creation, the Remcos RAT (Remote Access Trojan), which he's selling on underground hacking forums for a price that varies between $58 and $389, payable in various anonymous digital currencies.
According to a listing on one of the hacking forums, the Remcos RAT was released towards the end of July and has already reached version 1.3. Viotto says that the Remcos client is coded in C++ while the C&C server component runs on Delphi.
Remcos includes a keylogger, password dumper, and more
Remcos is offered as a free download with limited features, but the Pro version provides access to all of the RAT's features.
This includes the ability to take screenshots of infected computers, log keystrokes offline or in real time, record content via the device's microphone, and record content via the device's camera.
Additionally, Remcos also includes a password dumping component, which all professional RATs seem to have these days. Viotto claims that his RAT can dump passwords from applications such as Internet Explorer, Firefox, Chrome, Safari, Opera, Pidgin, Trillian, Miranda, and ICQ.
An analysis carried out by Symantec, who detects the RAT as Remvio, reveals that this password dumper is also effective against Digsby, Paltalk, and Windows MSN/Live Messenger, but not Safari as Viotto claims.
Remcos can target only Windows PCs
Remcos works on all Windows versions from XP and higher, on both 32-bit and 64-bit platforms. All data stolen from infected devices is sent encrypted via HTTPS to the C&C server.
Probably the most dangerous Remcos feature is its ability to queue operations. Users can create a list of operations for the RAT to carry out, and Remcos will execute them in the desired order when the victim comes online.
To avoid detection, Remcos uses anti-analysis techniques that allow it to detect when it's being executed on VMs and with the presence of reverse engineering tools. The RAT will shut down and delete itself. Besides encrypting the C&C communications, Remcos also encrypts local logs.
Remcos buyers get a builder that allows them to compile their own custom version of the RAT, which they can distribute via spear-phishing emails or drive-by downloads.
This builder lets users customize the port number through which data is exfiltrated and the registry names it uses to achieve device persistence.
Remcos author has a history of developing malware
Viotto, the 26-year-old behind the RAT, is also the author of other applications such as Octopus Crypter (code obfuscation utility to deter reverse engineering), the Poseidon Mailer (mass-mail client), Viotto Keylogger, and Viotto Binder, an app to bind two executables into one, ideal for packing malware into clean binaries.
Viotto also uses other names to sell his malware. You'll also find him online as "z3r0." A quick YouTube search for Remcos will bring up a few demos.
