Symantec researchers have recently discovered that a new Remote Access Trojan (RAT) is currently being offered for just for $58 by its creator – an Italian malware creator known as “z3r0”
The RAT, named Remvio, is a backdoor Trojan but it comes in a package with an End User License Agreement (EULA) which has the ability to deny any responsibility if Remvio is used in any king of malicious activity. This must be very appealing to many cybercriminals. However, the RAT`s price can go up to even $389 depending on the type of EULA the buyer wants.
The Symantec’s researcher, Christian Tripputi, explains that Remvio can be used for attack against corporation just like it can be used to private users. It is able to target all Windows version as well. Anyway, Tripputi also adds that, at this point, there is no proof that the Trojan is currently being used in live attacks.
Once bought, the buyer can spread its new purchase via lots of methods like spam messages with a link to the Trojan, watering hole attacks, exploit kits, droppers, malicious attachments, etc. The buyers have a lot of possibilities for Remvio distribution.
According to the Symantec`s team, Remvio was built in C++ language. In spite of being only 24-70 KB in size, this didn’t affect its range of capabilities in any way. The security experts also found out that the Trojan’s builder and control panel is approximately 6.3MB and that it was developed using the Delphi programming language.
“The control panel includes functionalities like automation tasks, which facilitate exfiltration activities without requiring the cybercriminal to physically operate the threat when the victims come online.” Tripputi notes.
Remvio, as a RAT, is able to make screenshots, log keystrokes, record microphone audio and webcam audio and video. What`s really concerning is the fact it is able to extract passwords from a broad range of applications at the same time.
It has already been confirmed that the Trojan is able to steal passwords from popular browsers and messaging apps like Explorer, Chrome, Firefox, Opera, Pidgin, Trillian, Miranda, ICQ, Digsby, PaltalkScene, and Windows MSN/Live Messenger. But for now, even though its control panel claims it can steal credentials from Safari, there is no evidence that Remvio can be used against Mac OS X.
Moreover, Symantec adds that Remvio has the capability to avoid being detected from most of the security technologies. It also supports anti-analysis options, meaning that if the Trojan realizes it is running inside a virtual machine or a debugger, it would immediately stop its operation process and delete itself.
The Trojan is using port 2404 for network communication by default, but this can be easily changed by its operators thanks to the builder interface. Experts also discovered that its default encryption network password is “pass” but this could also be changed. The name if the registry hive, where the backdoor is dropped, and how it starts on the infected machine are also customizable.
