WebMonitor is a remote access trojan with added virtual private network (VPN) and command and control (C2) capabilities.
At present it is unclear how WebMonitor is delivered although there are indications on a number of dark web sites it is offered on that it is being distributed via spam campaigns.
The RAT is a service bundled with a VPN, C2 service, and a web-based interface.
WebMonitor C2s to virtual-hostnames, apparently unique to each customer, at one of two root C2 domains. Although C2 communication is over HTTPS, an obvious downside to such a C2 domain architecture is that the C2 traffic is easily detected and blocked based upon the domains.
As a RAT, WebMonitor has an extensive list of capabilities including:
- Harvesting browser and mail credentials.
- Stream audio and video from webcams.
- Dump RAM and cache memory data to a C2 server.
- Monitor and edit registry and file system entries.
revcode[.]eu – This is a genuine company but for some reason it is listed on a number of sites as been a C2 domain for this trojan.
Microsoft Windows – All versions
We have been contacted twice now, by the company that created RevCode. They state they are a genuine company, and I quote the CEO said in a message “We do not tolerate malicous usage of our services and oprrating pro-actively to prevent our costumers from abuse” however the details regarding this are listed on a number of sites similar to ours, and it seems others have been contacted also, such as KrabsOnSecurity (details here).
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.