Criminals create botnets with legitimate tools for remote access

Attackers use official tools for testing in order to create and support the work of botnets. In particular, we are talking about the tool for remote access Remcos (Remote Control and Surveillance), utility for encryption Octopus Protector and other software production company Breaking Security, say the team of Cisco Talos.

According to the rules for the provision of services posted on the Breaking Security website, the use of products is permitted only for lawful purposes, and any violation will entail the revocation of the license. However, according to Cisco Talos, the Remcos tool has been used in a number of targeted phishing attacks on organizations in Turkey, Spain, Poland and the United Kingdom, including military contractors, international news agencies, equipment manufacturers, and service providers in the energy and marine sectors .

Once installed on the system, Remcos can be used to monitor user activity, including recording keystrokes, remote capture of screenshots and execution of commands. According to the official description of the product, Remcos, offered at a price of € 58 to € 389, allows you to fully control any version of Windows OS, starting with XP.

Despite the statements on the Breaking Security website, the researchers questioned the propriety of the developer, given that the tool has been advertised in hacker forums at least since 2016. As an example, they brought a message to one of the resources in which the Remcos customer says that he uses the company's software to manage two hundred "bots".

As the creator of the tool, someone Francesco Viotto (Francesco Viotto), in response to the allegations of Cisco Talos, the program is really intended solely for legitimate use.

"Due to the power and versatility of our software, some users use it for malicious purposes, using to manage machines that do not belong to them," said Viotto in a conversation with Bleeping Computer reporters, stressing that in cases of suspicious use of software, the license is immediately withdrawn. According to him, the experts did not send a single notice of malicious use of Remcos, although the company's website posted an e-mail specifically for such cases.