SPECIAL STATE PROTECTION SERVICE
SPECIAL COMMUNICATION AND INFORMATION
SECURITY STATE AGENCY

COMPUTER EMERGENCY
RESPONSE CENTER

Report Incident

News > BACKDOOR.REMVIO: HIGHLY CUSTOMIZABLE REMOTE ACCESS TROJAN SOLD ONLINE

1 Aug 2016

 The new Trojan can be used to steal information and passwords from compromised computers.
Symantec recently noticed that an Italian malware author called z3r0 is selling a new remote access Trojan in an underground forum. The software is a back door threat that can be purchased for somewhere between US$58 and $389 in bitcoins depending on the license agreement. The malware comes with an end user license agreement (EULA) that denies any responsibility if a third party uses the software for malicious activity. Despite this, we decided to evaluate this back door software as a potential threat. Our products detect it as Backdoor.Remvio.

Remvio can compromise any version of Windows and can target both corporations and private users. We have not confirmed whether it has been used in the wild yet; our detection is currently proactive.

After attackers have purchased the back door Trojan, they can distribute it in a number of ways. They may use watering hole attacks, crafted emails that point to a malicious URL, or a malicious spam campaign. They may spread the malware using exploit kits and droppers.

The back door Trojan is built in C++ and includes many functions despite being small in size (about 24-70 KB). The builder and control panel is approximately 6.3MB and developed using the Delphi programming language. The control panel includes functionalities like automation tasks (Figure 1), which facilitate exfiltration activities without requiring the cybercriminal to physically operate the threat when the victims come online.