Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Blackremote RAT Found For-sale

Speccy/Rafiki: Researchers from Palo Alto’s Unit 42 have identified a threat actor that is selling a custom-built Remote Access Trojan (RAT) called BlackRemote. The website that the RAT is being advertised on is set up to look very professional and the seller has made significant efforts to promote seemingly legitimate reasons for selling the RAT. These reasons are believed to be false because the RAT contains features that are only useful for malicious actors and have no place in a legitimate remote administration program. Unit 42 has managed to find over 50 samples of the RAT and over 2,200 infections. The price of the program is rather high compared to what other RATs are being sold for on criminal markets. A 31-day license running for $49 USD. The author of the RAT also posted a YouTube video with instructions on how to set the RAT up and utilize it in the best way possible. Key features that are advertised for the RAT include:

  • Access desktop remotely
  • Remote file manager
  • Remote webcam access
  • File transfer capabilities
  • Keystroke capture (Keylogging)
  • Machine services manager
  • Process manager
  • Remote audio access
  • Registry editor
  • Chat system
  • Shutdown, reboot, and logoff system command ability
  • Create and send system messages
  • Download and execute any file on the system
  • Recover passwords that were used on the system, mail clients, and browser
  • TCP connections monitoring
  • Launch any website
  • Manage the clipboard
  • Create and execute remote scripts
  • Manage remote machine system startup entities
  • Remote shell access
  • File search engine
  • Photo album manager
  • Windows manager
  • Installed software management
  • Hosts file control
  • Client manager capabilities

Speccy, as the vendor selling the RAT prefers to be called, is very cautious; under each one of the RATs features, they list exactly what the feature does, without explaining how it could be used in a malicious way. After a user purchases the RAT, they are given a Sendspace link to download the Blackremote manager/builder software and a password to decrypt the archive that the software comes in. After the manager/builder is unpacked, a 9 MB main executable installs along with a pair of resource libraries and a resource directory with a pair of .wav files. Blackremote utilizes the CodeVEST licensing system which is a third-party tool to manage software licenses and is peddled on underground forums. The manager/builder that the buyer now has access that allows them to:

  • Customize malware and control connections to infected clients
  • Define actions-upon-connect for client connections
  • Define a connection log
  • List and interact with connected clients

Client control features are exposed in the context menu for connected clients, which was a heavily advertised piece for Speccy. This malware is still being actively developed. It was seen that regardless of the RAT feature and the C2 information, all of the file sizes were the same because of the obfuscation process that was in place. The builder and client are heavily protected and use more than one obfuscator. Unit 42 managed to track Speccy and identify the threat actor as an 18-year-old man who lives in Sweden. Rather than giving away his real identity, Unit 42 stated that they alerted the proper authorities and hope that because of a timely discovery of the RAT and the attacker, the attacks from Blackremote will be limited.

Analyst Notes

The Binary Defense Threat Hunting and Counterintelligence teams are studying the Blackremote RAT and have already developed detection rules for stopping this RAT on our client’s computers. The malware has been posted for sale for nearly a month on one forum, and it is possible that if Unit 42 turned all the information over to law enforcement that they will take action against the creator. If action is taken, there is no telling if Speccy has any contingency plan in place or anybody else lined up to continue selling his RAT.