Blackremote: Money Money Money – A Swedish Actor Peddles an Expensive New RAT


Category: Unit 42

Tags: , , , ,

This post is also available in: 日本語 (Japanese)

Executive Summary

While researching prevalent commodity Remote Access Tools (RATs), Unit 42 researchers discovered a new, undocumented RAT in September, which had almost 50 samples observed in more than 2,200 attack sessions within the first month it was sold. In this report, we document the RAT manager/builder, client malware, and profile the Swedish actor behind this together with his promotion and sale of his malware. We also document this RAT already being used in malicious attacks in the wild.

Promoting his RAT

During the first week of September 2019, the actor started promoting his new RAT on several underground forums (Figure 1), using the handles Speccy and Rafiki. The succinct posts shared a link to his sales site blackremote[.]pro, and his discord handle Speccy#0100.

Figure 1. RAT promoted on forums

During the same week, he posted a YouTube video (Figure 2), with instructions for setting up his RAT.

Figure 2. YouTube “how-to” video

The YouTube description (Figure 3) included a link to his personal site speccy[.]dev. It also included the claim “this rat is fully runtime undetected” and a link to “purchase FUD crypter.” There is no legitimate reason for this software to need to be “undetectable” or “crypted.” Rather, such efforts are intended to prevent detection by antimalware software.

Figure 3. YouTube description


The sales site for Blackremote RAT, blackremote[.]pro (Figure 4), was registered on August 19, 2019.

Figure 4. blackremote[.]pro

Speccy describes his RAT:

“Black Remote Controller PRO is a powerful and full featured systems remote admnistration suite. It will give you full access and control over a remote machine through a countless number of features, giving you the ability to monitor, access or manipulate every activity and data remotely, just like you are in front of it!”

As is typical with other malicious RATs promoted at the same underground forums, Speccy claims legitimate purpose:

“This tool is ideal for everyone who necessitate to access, monitor or operate remotely on a given system for a wide and various range of needs, administration professionals, parental control, forensics, sourveillance [sic], remote assistance. Black will become for you an incredible tool to achieve everything remotely.”

However, the previously mentioned claims of being “undetectable” and references to crypting, together with features such as “Password Recovery” and his “Fun Features” (Figure 5) advertising (“We all know sometimes things may get boring, expecially [sic] in professional and tech environment“ … “Black Remote Controller may become also a funny tool for jokes, why not?”) are hardly in keeping with a tool designed for legitimate purpose.

Figure 5. “Fun Features”

Speccy licenses (Figure 6) his RAT at a comparatively high price compared to other commodity RATs. With $49 for a 31-day license, $117 for 93 days, and $438 for one year.

Figure 6. Purchase

The purchase itself is through various cryptocurrencies, using third-party payment service vsell[.]io (Figure 7).

Figure 7. vSell


The site lists the features of this RAT in detail:

“Remote Desktop
Watch the Remote Desktop Live at incredible low latency, take shots or activate video
recording to .avi files. Take control over the mouse device and more. Supports
multiple screens.

Remote File Manager
Freely navigate in as fast as in real time through all drives, files and folders of your
remote machine.
Be able to achieve any kind of file manipulations.

Remote Webcam
Private property surveillance, monitoring, parental control, this feature allows for
multiple needs. Take shots or activate video recording to .avi files.

File Transfers
Upload and or Download any data from and to your remote machine. Multiple transfers
at once supported and no size limit at incredible speed.

Keystroke Capture
Keystroke capture Live or in Offline mode and retrieve logs later. All keyborads [sic] are
supported. A keyword search feature is included.

Services Manager
Be able to list all remote machine stopped and running Services, launch or stop them in
a click.

Processes Manager
Monotor [sic] all running Processes in your remote machine, kill. suspend, resume them or
set an alarm on specific ones if detected.

Remote Audio
Listen to your remote machine Microphone device, great for surveillance or just listen
what the remote user have to say to you.

Registry Editor
Navigate through the full remote machine Windows Registry, retrieve or modify any key
or value in it, create new ones.

Chat System
Be able to initialize a Chat session with the remote machine user it for assistance or any
given need.

Shutdown, Reboot, Logoff System
Be able to remotely logoff, restart or shutdown your remote machines as needed.

System Messages
Create and fully customize system messages, alerts, infos to pop up on your remote

Download and execute any file from a given URL with complete customization of the
saving path, execution and more.

Passwords Recovery
Get all saved password in the remote machine, browsers, mail clients and few
applications are supported.

TCP Connections Monitor
Monotor all active TCP connections in and out your remote machine. Be able to block
them by port, process or instant kill.

Visit Website
Be able to launch any website page for support or any other specific need.

Clipboard Manager
Acces, read or write or edit the remote machine Clipboard content.

Scripting Tool
Create and execute remotely your scripts. VBS, HTML, BATCH, POWERSHELL

Startup Manager
Manage all remote machine System Startup entries. Add, remove, modify them through
multiple startup methods.

Remote Shell
Being able to access your remote machine Shell is vital to achieve almost any and
advanced task.

Windows Manager
Be able to manage any open windows, visible or hidden ones on your remote machine.
Close, maximize, minimize, hide, show, block, any interaction is supported.

Installed Software
Sometimes being able to tell wich software is installed on a system is usefull [sic] to get an
idea of how the remote environement [sic] is set.

Hosts File
This file has a critical role for Windows systems, being able to redirect, block, translate,
associate ip/hosts addresses. Hosts file customization is sometimes critical to
block some websites access for example.

Client Manager
You have plenty of options to modify, update, restart, kill and more of your installed
Client file.
Client editor will allow for customizations of your file.”

Manager / Builder

The purchaser is given a Sendspace download link for the Blackremote manager / builder software, together with the password for the 6 Mb RAR.

Unpacking the manager / builder installs a 9Mb main executable BLACK-RC.EXE, a pair of resource libraries, and a resource directory with a pair of .wav files.

Figure 8. Manager / builder registration / login

Upon loading the manager / builder, the user is given a registration / login screen (Figure 8). Blackremote utilizes the third-party “CodeVEST” licensing system, also peddled on underground forums. The licensing system validates by connecting to codevest[.]sh. “CodeVEST” seems to take the place of “Netseal” as a registration service used by commodity malware. The author of “Netseal”, Taylor Huddleston, was charged in 2017 for that operation together with the sale of his own commodity malware, “Nanocore RAT.” The same person who offers the “Codevest” licensing service, also profits from a crypting service “Cyber Seal”. This highlights the role in the commodity malware ecosystem of not only the malware sellers, but also service providers such as the licensing services they use, and the crypting services they purchase to avoid detection of the malware that they build.

Figure 9. CodeVEST

The Blackremote manager / builder (Figure 10) allows the user to build new client malware to their configuration, and to control connections from those infected clients.

Figure 10. Blackremote Manager / Builder

The manager / builder allows the user to define actions-upon-connect for client connections (Figure 11), a connection log (Figure 12), and the ability to list (Figure 13) and interact with connected clients.

Figure 11. On-connect options

Figure 12. Connection log

Figure 13. Active connections

The client-control features advertised by Speccy are exposed in the context menu for connected clients (Figure 14).

Figure 14. Client control

Speccy is actively developing this software. The changelog shows incremental improvements on a regular basis, such as the newly-added client privilege escalation (Figure 15).

Figure 15. Change log


We note that different samples from similar time periods have been observed with identical file sizes. We suspect that regardless of dynamic content, such as C2 information or differing RAT options, that the obfuscation process in the building of the client may make all clients of a specific Blackremote version level identical in file size.

Both the builder and client are heavily protected, using more than one obfuscator ( Agile.NET, Babel .NET, Crypto Obfuscator, Dotfuscator, Goliath.NET, SmartAssembly, Spices.Net, Xenocode).

In the Wild

Although Blackremote is very new, as of the time of this report we are already seeing it used in attacks. A month after Speccy started selling Blackremote RAT, we have almost 50 samples observed in more than 2,200 attack sessions against Palo Alto Networks customers.

A Customer

Interestingly, just one campaign seems to be responsible for the vast majority of those attacks. The file doc00190910.exe (SHA256: 2b3cda455f68a9bbbeb1c2881b30f1ee962f1c136af97bdf47d8c9618b980572), was spread by email, peaking September 9-11, 2019. It targeted Palo Alto Networks customers in varied verticals (Figure 16), worldwide. It uses renaj.duckdns[.]org (103.200.6[.]79) as a Command-and-Control (C2) server. We observed this used in over 1800 attack sessions.

Figure 16. Campaign victim verticals

The same C2 has been observed being used by the actor in over 50 Netwire, Nanocore, Quasar, and Remcos commodity RAT samples back to early 2018.

This is a clear illustration of how the authors of commodity RATs such as Blackremote profit, while enabling malicious cyber attacks.


Commodity RATs are often sold on the internet for years, their authors profiting while enabling malicious actors to spread thousands of samples of malware, built with their RAT builders.

The opportunity to document a RAT within days of its emergence, and to identify the individual behind it – in this case, an 18-year-old from Sweden, will hopefully enable authorities to take timely action against this actor, and his customers. Unit 42 has fully identified this actor; we will not share his identity here, but we have ensured that the correct authorities have been advised. The longer this is sold, not only the more samples of this RAT will be built and spread, but also the opportunity for other actors to crack this RAT and distribute it indiscriminately. It is important to identify and interdict the sale of such malware as early as possible to prevent its proliferation, which enables a large population of unsophisticated threat actors.

Organizations with decent spam filtering, proper system administration, and up-to-date Windows hosts have a much lower risk of infection. Palo Alto Networks customers are further protected from this threat. Our threat prevention platform detects Blackremote malware, with Wildfire and Traps. AutoFocus users can track this activity using the Blackremote tag.

Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit