{"id":15153,"date":"2019-04-22T13:17:04","date_gmt":"2019-04-22T21:17:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/04\/22\/news-8902\/"},"modified":"2019-04-22T13:17:04","modified_gmt":"2019-04-22T21:17:04","slug":"news-8902","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/04\/22\/news-8902\/","title":{"rendered":"Who’s Behind the RevCode WebMonitor RAT?"},"content":{"rendered":"

Credit to Author: BrianKrebs| Date: Mon, 22 Apr 2019 19:43:02 +0000<\/strong><\/p>\n

The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the\u00a0Blackshades RAT<\/strong>, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.<\/p>\n

\"\"<\/a><\/p>\n

An advertisement for RevCode WebMonitor.<\/p>\n<\/div>\n

At issue is a program called “WebMonitor<\/strong>,” which was designed to allow users to remotely control a computer (or multiple machines) via a Web browser. The makers of WebMonitor, a company in Sweden called “RevCode<\/strong>,” say their product is legal and legitimate software “that helps firms and personal users handle the security of owned devices.”<\/p>\n

But critics say WebMonitor is far more likely to be deployed on “pwned” devices, or those that are surreptitiously hacked. The software is broadly classified as malware by most antivirus companies, likely thanks to an advertised feature list that includes dumping the remote computer’s temporary memory; retrieving passwords from dozens of email programs; snarfing the target’s Wi-Fi credentials; and viewing the target’s Webcam.<\/p>\n

In a writeup on WebMonitor published in April 2018<\/a>, researchers from security firm Palo Alto Networks<\/strong> noted that the product has been primarily advertised on underground hacking forums, and that its developers promoted several qualities of the software likely to appeal to cybercriminals looking to secretly compromise PCs.<\/p>\n

For example, RevCode’s website touted the software’s compatibility with all “crypters<\/a>,” software that can encrypt, obfuscate and manipulate malware to make it harder to detect by antivirus programs. Palo Alto also noted WebMonitor includes the option to suppress any notification boxes that may pop up when the RAT is being installed on a computer.<\/p>\n

\"\"<\/p>\n

A screenshot of the WebMonitor builder panel.<\/p>\n<\/div>\n

RevCode maintains it is a legitimate company officially registered in Sweden that obeys all applicable Swedish laws. A few hours of searching online turned up an interesting record<\/a> at Ratsit AB<\/a>, a credit information service based in Sweden. That record indicates RevCode is owned by 28-year-old Swedish resident Alex\u00a0Y\u00fccel<\/strong>.<\/p>\n

In February 2015, a then 24-year-old Alex Y\u00fccel pleaded guilty in a U.S. court<\/a> to computer hacking and to creating, marketing and selling Blackshades<\/a>, a RAT that was used to compromise and spy on hundreds of thousands of computers. Arrested in Moldova in 2013 as part of a large-scale, international takedown against Blackshades and hundreds of customers,\u00a0Y\u00fccel became the first person ever to be extradited from Moldova to the United States.<\/span><\/p>\n

Y\u00fccel was sentenced to 57 months in prison, but according to a record for\u00a0Y\u00fccel at the U.S. Federal Bureau of Prisons<\/a>, he was released on Nov. 1, 2016. The first advertisements in hacker forums for the sale of WebMonitor began in mid-2017. RevCode was registered as an official Swedish company in 2018, according to Ratsit.<\/p>\n

Until recently, RevCode published on its Web site a value added tax<\/a>\u00a0(VAT) number, an identifier used in many European countries for value added tax purposes. That VAT number — first noted by the blog Krabsonsecurity.com<\/a> (which borrows heavily from this site’s design and banner but otherwise bears no relation to KrebsOnSecurity.com) — has since been removed from the RevCode Web site and from historic records at The Internet Archive<\/a>. The VAT number cited in that report<\/a> is registered to Alex\u00a0Y\u00fccel, and matches the number listed for RevCode by Ratsit AB.<\/p>\n

Y\u00fccel could not be immediately reached for comment. But an unnamed person responded to an email sent to the customer support address listed at RevCode’s site. Presented with the information and links referenced above, the person responding wrote, “nobody working for\/with RevCode is in any way related to BlackShades. Anything else suggesting otherwise is nothing but rumors and attempts to degrade our company by means of defamation.”<\/p>\n

The person responding from the RevCode support email address contended that the Alex Y\u00fccel listed as owner of the company was not the same Alex Y\u00fccel convicted of co-authoring Blackshades. However, unless the Ratsit record is completely wrong, this seems unlikely to be true.<\/p>\n

According to the Ratsit listing, the Alex\u00a0Y\u00fccel who heads RevCode currently lives in a suburb of Stockholm, Sweden with his parents Can and Rita\u00a0Y\u00fccel. Both Can and Rita\u00a0Y\u00fccel co-signed a letter<\/a>\u00a0(PDF)\u00a0in June 2015 testifying to a New York federal court regarding their son’s upstanding moral character prior to Y\u00fccel the younger’s sentencing for the Blackshades conviction, according to court records.<\/p>\n

\"\"<\/p>\n

A letter from Alex Y\u00fccel’s parents to the court in June 2016.<\/p>\n<\/div>\n

https:\/\/krebsonsecurity.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: BrianKrebs| Date: Mon, 22 Apr 2019 19:43:02 +0000<\/strong><\/p>\n

The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the\u00a0Blackshades RAT, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10642],"tags":[16740,21623,11867,16695,21624,16696,21625,21626,21627,21628],"class_list":["post-15153","post","type-post","status-publish","format-standard","hentry","category-independent","category-krebs","tag-a-little-sunshine","tag-alex-yucel","tag-blackshades-rat","tag-breadcrumbs","tag-krabsonsecurity","tag-neer-do-well-news","tag-ratsit-ab","tag-revcode","tag-webmonitor","tag-webmonitor-rat"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15153"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15153\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15153"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}