Swedish hacker caught selling Blackremote RAT

News by Rene Millman

A Swedish hacker has been discovered trying to sell a new, undocumented remote access tool

A Swedish hacker has been discovered trying to sell a new, undocumented remote access tool (RAT).

Dubbed Blackremote by researchers at Palo Alto Networks, the RAT has been promoted by the hacker on dark web forums since last month. The hacker, who uses the handles Speccy and Rafiki, has also posted YouTube videos with instructions for setting up his RAT.

The YouTube description included a link to his personal site. The video is marked private.

"It also included the claim ‘this rat is fully runtime undetected’ and a link to ‘purchase FUD crypter’. There is no legitimate reason for this software to need to be ‘undetectable’ or ‘crypted’. Rather, such efforts are intended to prevent detection by antimalware software," said researchers.

The hacker described the malware as a "powerful and full featured systems" remote administration suite. 

"It will give you full access and control over a remote machine through a countless number of features, giving you the ability to monitor, access or manipulate every activity and data remotely, just like you are in front of it!," goes the description. 

Researchers said the RAT is higher in price than other commodity RATs as the tool is available for US$49 (£44) for a 31-day license, US$117 (£106) for 93 days, and US$438 (£397) for one year. Buyers need to buy the tool using cryptocurrencies such as Bitcoin.

The features of the RAT include remote desktop, remote file manager, remote webcam, keystoke capture, and remote audio to listen in on a victim.

Researchers said that commodity RATs are often sold on the internet for years, their authors profiting while enabling malicious actors to spread thousands of samples of malware, built with their RAT builders.

"The opportunity to document a RAT within days of its emergence, and to identify the individual behind it – in this case, an 18-year-old from Sweden, will hopefully enable authorities to take timely action against this actor, and his customers," the researchers said.

Matt Aldridge, senior solutions architect at Webroot, told SC Media UK that organisations must not rely upon any kind of signature based or rules-based detection for malware and ensure that they are using next generation anti-malware which uses behavioural based detection of this type of Remote Access Trojan. 

"Organisations should also control the URLs being accessed from their devices by ensuring that high-quality web classification and reputation data is integrated at their endpoints, gateways and/or via a DNS security platform - this can mitigate the initial download, licensing and command and control communications of such tools," he said.

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that strong detection controls should be in place that can detect if a RAT makes it into the network. 

"This can be done in conjunction with a reliable threat intelligence source that is continually updated with the latest indicators of compromise," he said.

In order to catch the criminal, "we often see many organisations and countries collaborating together and sharing law enforcement resources because most criminals operate across borders to slow down and frustrate investigators," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews