Symantec recently noticed that an Italian malware author called z3r0 is selling a new remote access Trojan in an underground forum. The software is a back door threat that can be purchased for somewhere between US$58 and $389 in bitcoins depending on the license agreement. The malware comes with an end user license agreement (EULA) that denies any responsibility if a third party uses the software for malicious activity. Despite this, we decided to evaluate this back door software as a potential threat. Our products detect it as Backdoor.Remvio.
Remvio can compromise any version of Windows and can target both corporations and private users. We have not confirmed whether it has been used in the wild yet; our detection is currently proactive.
After attackers have purchased the back door Trojan, they can distribute it in a number of ways. They may use watering hole attacks, crafted emails that point to a malicious URL, or a malicious spam campaign. They may spread the malware using exploit kits and droppers.
The back door Trojan is built in C++ and includes many functions despite being small in size (about 24-70 KB). The builder and control panel is approximately 6.3MB and developed using the Delphi programming language. The control panel includes functionalities like automation tasks (Figure 1), which facilitate exfiltration activities without requiring the cybercriminal to physically operate the threat when the victims come online.
Figure 1. Remvio performs automatic tasks to facilitate exfiltration tasks
Remvio can also act as a remote access Trojan (RAT) with the ability to:
- Log keystrokes
- Capture screenshots
- Record webcam audio and video
- Record microphone audio
Figure 2. Remvio performs standard RAT actions
Remvio also has password recovery capabilities across different applications. While the control panel claims it can steal credentials from Safari, we did not find any evidence that the builder can be used to create Mac OS X malware. However, the Trojan can still exfiltrate passwords from popular browsers and instant messaging software including:
- Internet Explorer
- Windows MSN/Live Messenger
Figure 3. Remvio's password recovery feature
Along with its other capabilities, Backdoor.Remvio can be fully configured to evade most security technologies. It also comes with anti-analysis options. If it detects that it is running on a virtual machine or a debugger, it will close and then delete itself.
Remvio uses port 2404 by default for network communication, but this can be changed from the builder interface. The threat uses "pass" as its default encryption network password, but this too can be changed. Attackers using the back door threat can also customize the registry hive name, where it is dropped, and how it starts on the compromised computer.
After the attacker configures all of the options, they are able to compress the file before delivering it to victims.
Symantec and Norton products protect against this threat with the following detections: