Cisco Talos says criminals are using one research company's testing tools to set up and run botnets.
A report released Wednesday by Talos researchers found that Breaking Security's Remcos remote control tool and Octopus Protector encryption utility, along with other Breaking Security tools, are being used in the wild to set up and maintain botnets.
While Breaking Security which did not respond to a request for comment maintains in its ToS that its products are only for legit purposes and it will revoke the license for anyone who misuses its products, Cisco Talos claims the tools can easily be used as malware and misuse of the software is rampant.
"While the organization that sells Remcos claims that the application is only for legal use, our research indicates it is still being used extensively by malicious attackers, as well," the report claims.
"In some cases, attackers are strategically targeting victims to attempt to gain access to organizations that operate as part of the supply chain for various critical infrastructure sectors."
Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin READ MORE
Among the attacks Talos says it has spotted the software being used for targeted attacks on businesses in Turkey, Spain, Poland, and the UK, mostly hidden as email attachments within spear-phishing attempts.
Once installed, Remcos can be used to monitor user activity, including keystroke logging, remote screenshots and command execution.
Because of this, Talos says that it is classifying Remcos as a Remote Access Trojan (RAT) software and is distributing decoder script to help companies detect and remote the Remcos software from their systems. The researchers are also advising admins to screen for and treat a Remcos installation as they would any other trojan or piece of malware.
"Organizations should ensure that they are implementing security controls to combat Remcos, as well as other threats that are being used in the wild," the researchers write.
"Remcos is a robust tool that is being actively developed to include new functionality increasing what the attackers can gain access to. To combat this, organizations should continue to be aware of this threat, as well as others like this that may be circulated on the internet."
Sponsored: Following Bottomline’s journey to the Hybrid Cloud