Blackremote: Money Money Money – A Swedish Actor Peddles an Expensive New RAT (Oct 15, 2019)
In September 2019, Unit 42 researchers discovered a new, undocumented commodity Remote Access Tool (RAT) that was observed in more than 2,200 attack sessions within the first month of it being sold. The RAT, dubbed “Blackremote,” has been promoted on dark web forums and on a sale site since September 2019 by the author, an unidentified 18-year old Swedish citizen, and time-limited licenses can be purchased using cryptocurrencies such as Bitcoin. The features of the RAT include keystroke capture, remote audio, remote desktop, remote file manager, and remote webcam. The author describes the tool as being able to, “give you full access and control over a remote machine through a countless number of features, giving you the ability to monitor, access or manipulate every activity and data remotely, just like you are in front of it!” Unit 42 have reported their findings, including the identity of the author, to the proper authorities.
Recommendation: Organizations should control URLs being accessed from work devices by ensuring that high-quality web classification and reputation data is integrated at their endpoints, gateways and/or via a DNS security platform. This can mitigate the initial download, licensing and command and control communications of remote access tools. Additionally, organizations should use threat intelligence resources that are continually updated with the latest indicators of compromise.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.