WebMonitor Remote Access Trojan

WebMonitor is a remote access trojan with added virtual private network (VPN) and command and control (C2) capabilities.

At present it is unclear how WebMonitor is delivered although there are indications on a number of dark web sites it is offered on that it is being distributed via spam campaigns.

The RAT is a service bundled with a VPN, C2 service, and a web-based interface.

WebMonitor C2s to virtual-hostnames, apparently unique to each customer, at one of two root C2 domains. Although C2 communication is over HTTPS, an obvious downside to such a C2 domain architecture is that the C2 traffic is easily detected and blocked based upon the domains.

As a RAT, WebMonitor has an extensive list of capabilities including:

  • Harvesting browser and mail credentials.
  • Stream audio and video from webcams.
  • Dump RAM and cache memory data to a C2 server.
  • Monitor and edit registry and file system entries.

C2 Domains

revcode[.]eu – This is a genuine company but for some reason it is listed on a number of sites as been a C2 domain for this trojan.

wm01[.]to

Affected Platforms

Microsoft Windows – All versions

Update 05-01-2018

We have been contacted twice now, by the company that created RevCode.  They state they are a genuine company, and I quote the CEO said in a message “We do not tolerate malicous usage of our services and oprrating pro-actively to prevent our costumers from abuse” however the details regarding this are listed on a number of sites similar to ours, and it seems others have been contacted also, such as KrabsOnSecurity (details here).




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

3 thoughts on “WebMonitor Remote Access Trojan

  • November 29, 2018 at 3:39 am
    Permalink

    Revcode is a legal business registered in Stockholm, Sweden.

    Reply
  • December 9, 2018 at 1:38 am
    Permalink

    Revcode is not a trojan. I use Revcode to monitor my employees legally in Denmark. This seems like a typical slander.

    kim Lehmann
    Kamstrup, CEO

    Reply
  • January 5, 2019 at 4:20 am
    Permalink

    Indeed, Revcode is a legit Swedish business. Just too bad people have nothing better to do than hunting down for anything that looks suspicious and deem them as malicious based on a combination of features, and without any merit whatsoever.

    I’m using WebMonitor to turn my 2 older Android tablets into security cameras. Lots cheaper than having to pay 100$+ for a set of IP-based network surveillance cameras.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: