WebMonitor Remote Access Trojan

WebMonitor is a remote access trojan with added virtual private network (VPN) and command and control (C2) capabilities.

At present it is unclear how WebMonitor is delivered although there are indications on a number of dark web sites it is offered on that it is being distributed via spam campaigns.

The RAT is a service bundled with a VPN, C2 service, and a web-based interface.

WebMonitor C2s to virtual-hostnames, apparently unique to each customer, at one of two root C2 domains. Although C2 communication is over HTTPS, an obvious downside to such a C2 domain architecture is that the C2 traffic is easily detected and blocked based upon the domains.

As a RAT, WebMonitor has an extensive list of capabilities including:

• Harvesting browser and mail credentials.
• Stream audio and video from webcams.
• Dump RAM and cache memory data to a C2 server.
• Monitor and edit registry and file system entries.

C2 Domains

revcode[.]eu – This is a genuine company but for some reason it is listed on a number of sites as been a C2 domain for this trojan.

wm01[.]to

Affected Platforms

Microsoft Windows – All versions

Update 05-01-2018

We have been contacted twice now, by the company that created RevCode.  They state they are a genuine company, and I quote the CEO said in a message “We do not tolerate malicous usage of our services and oprrating pro-actively to prevent our costumers from abuse” however the details regarding this are listed on a number of sites similar to ours, and it seems others have been contacted also, such as KrabsOnSecurity (details here).