Rewterz Threat Alert – Blackremote: An undocumented RAT

Severity

High

Analysis Summary

While researching prevalent commodity Remote Access Tools (RATs), Unit 42 researchers discovered a new, undocumented RAT in September, which had almost 50 samples observed in more than 2,200 attack sessions within the first month it was sold. In this report, Unit 42 document the RAT manager/builder, client malware, and profile the Swedish actor behind this together with his promotion and sale of his malware. Unit 42 also document this RAT already being used in malicious attacks in the wild.

Black Remote Controller PRO is a powerful and full featured systems remote administration suite. It will give you full access and control over a remote machine through a countless number of features, giving you the ability to monitor, access or manipulate every activity and data remotely, just like you are in front of it!

Impact

Exposure of sensitive information

Indicators of Compromise

SH256

• 25ce044c34426b828546206fad18930a412bb908c38701c4515f4d0ac0616cc1
• 105cab9c9604238c05be167c6d8d47cd2bc0427b07ede08c5571b581ebd80001
• c207cf50305f126451e2dc5493d83614fdf801541d011e5002ee5daea2b4433b
• ee20db296c7c4cf3ca6db0c739f1579f554a447b6c1e2b343b22d341f288662f
• c38006115bd7c22151c4e31d8d4ed6ec114c2aaf1c7c0da12ef7b44f96fc58d6
• f7b165903f6f9b979e84399ce4e1b85ed2927740771d85a7b8c85203641a08a1
• 117cf46ae69134dbe0c8a1d5f4cac92b46c15ea4945929df3880c0ac63e158f3
• 53c5a447cf10439616e35a0705a3390e4cbf0d2709ad0ddd4e9b2222631bfb24
• 93bfbd4b12a17732c8b7e66c554f98187184c6d845bd02e0dbb2104ce8da0453
• 901e06cd91adb7255d75781ef98fac71d17f7bed074a52147bdbd42ea551b34f
• 129491bfdd9a80d5c6ee1ce20e54c9fb6deb2c1e1713e4545b24aa635f57a8b9
• 469d8b2cced859f57b535363307c1e29c0bf0342d14ce0da109a40493a441b62
• 0908f8fbe1e3a77d941ae83fe3677d103d86d6e59a6ae4530eadba8af7fc1b3a
• 0f66acc9883b284580980020d4a48557b2fe38312ca80db97c77cc2fa78c51fb
• 69aaaf148a132385512f66d7668b045d6467f8639a3ef7460e20ce0627bc84fc
• 3875545099276f2b34c3752b177b6d90a2eeb47148ddfb559a4d076d0f40716a
• f6ae66a8a6357d7622463db9953ae164d496e7f5ee0dfe2c8e3550a231f25078
• ed7693d9b1b069d39451002bc1df06bf4e123926fa34abb6afeb9a18d6d90dcd
• 77fe670ed011e547db72207ba5849b9f618185b52e0ae766c23ef675b116b252
• 931839ee649da42b0ee3ac5f5dfa944b506336c7f4e5beb3fc07a6b35a7e6383
• a590d504a6bbbdb50befce40820ebc9d341ff9c37adb5693684b85afef5d56dc
• 33a3572c32f024e6610e2b2ab428118c162687410dd84db7866e8f198442e6ca
• a4bc7d42dd64df3502b7f8c2335c64eba7a484479fc8c2dc8a4aa448f10354b3
• 2b3cda455f68a9bbbeb1c2881b30f1ee962f1c136af97bdf47d8c9618b980572
• cb423b73ae3e51195abbcf8bc1f2655d61436825815089b92e843b570ac7c86d
• cc795b94cac222afc69749359d8b17d9fb7a7fb6e824d43008c1674c0d146929
• f83e25cf2b2c2f2d0a14e3f538c11f70135ee8ec158446a51bb0f2d999765267
• 0c63983cb38d187c187f373852d7b87ff4e41ea0d77d75907aa3388ad957f38f
• 1737cf3aec9f56bb79a0c4e3010f53536c36a1fbeeedea81b6d7b66074ecffbe
• 756efcbd2767c5499b6f09a089033c82050459fc2999d3ce79caa25746693e26
• c5a78bf01ab2e44c7dba3a363f2eda51cf648e904f2beb47d6cf3112368ff20c
• 57a15cc236e4d2ba6e08b062a75671b8a674e0d8498d87e48652c778ea263d49
• ada653c948875a9c1ca588251b317d8e971fdf980252d92e36d59f14f5eb9ab9
• e5366365852a953a1747ab8a5d721c2536c5671c07bfecf648fb2cf6a13f2dc0
• 9c93b768b5261194ad207c0e92e9767e70ba38203f24f2909e1b39a9a1d6570c
• e54531896dbd100fec41cfc89b06f2afa1efd4077d1f197b1b88f74371135436
• e1bf5d2ef3a4f922f9a15ab76de509213f086f5557c9e648126a06d397117d80

URL

• https[:]//renaj[.]duckdns[.]org/

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.