Revcode WebMonitor – The Legal Malware used in CEO Fraud

Posted on

UPDATE: On 11 August, 2018, the author of Revcode contacted me and threatened to sue me for libel. I wish him the best of luck in this venture.

The file came in via this archive containing fake agreements for bank transfer as well as malicious executable files (Facture1.exe and Facture.exe). The revcode sample is Facture.exe.

Today we will be taking a look at, a very very legal malware backed by a .eu domain and a very very long Term of Service that was used in CEO Fraud, as seen below. Who would’ve thought such legal software being advertised on the benign forums dubbed “HackForums” would be used for such notorious cybercriminal purposes?

First of all, we would like to note that despite being blatantly coded in  VB6, a language from 2005, the developer claims that it is coded in “C/C++” (which shows how he does not know the differences between C and C++)

As we can see, the feature “RAM dump” is present. I am sure nobody has the intention of using this for PoS fraud and other very illegal things.

Let’s take a look at their website.

First of all, VB6 is not a revolution any more, it was created in 2005 and could be considered depracated. Second of all, why would you say “since 2017” when it is in fact, 2017? The “since” is used to demonstrate experience and longevity on the market, which is exactly what you lack here.

Revcode is anything but P2P, not only do clients connect to a CnC but the CnC of all customers are shared under the domain “” (each customer get a subdomain).

There are many more things I would like to say about this legal software, however I will move on to analysing the binary itself.

SHA256: f5d102961183552e759d54c5c7b0e4ec37b10e399a8e90dd98a5136ab0c3eae5
File size: 521.5 KB
File type: Generic CIL Executable

Initial analysis shows that the file is obfuscated with SmartAssembly.

After using de4dot on the binary, we get this at the entrypoint:

Note the lines

byte_ = Convert.FromBase64String(s);
string_ = “gggggggesasasasasasasasasasasasasasa”;
byte[] byte_2 = Class22.smethod_17(string_, byte_);

Inspecting smethod_17 reveals that it in fact is the decryption code.

After setting the breakpoint and executing, it is clear that byte_2 is in fact the decrypted binary.

We dump the file and get the payload.

SHA256: 021c739a365bbdab97df0945a535cb9c4b5128a5ef77c8ce8f274ac9e4ff8d2d
File size:  336.0 KB
File type: MS Visual Basic 5.0-6.0 EXE

Since the file is VB6, we easily use VB Decompiler Pro to decompile it. After decompilation, we get all of the project files.

One of the first functions called is APP_INIT. As it turns out the author has no idea what encrypting string in a binary is, despite boasting AES encrypted connection.

As we can see, some of the functions called are Proc_2_136_41CB4C, Proc_2_14_421824 and  Proc_2_35_418D50.

Proc_2_136_41CB4C is simply a wrapper for SHGetFolderPathW as it turns out, Proc_2_14_421824  is  a function for writing file which uses the APIs CreateFileW and WriteFile. Proc_2_35_418D50 executes the installed binary and exits, nothing interesting.

Scrolling down in APP_INIT, we can finally see the connection code.

We will focus on the following snippet of code:

After cleaning the code up a bit, we get this:

First, Proc_4_1_41F2CC() is a simple wrapper for the capGetDriverDescription API. Other data such as the computer name (Proc_2_38_41E858), username of the current user (Proc_2_37_41EFA8), the current windows (Proc_2_11_41D598). Proc_2_127_420F8C is a copy paste of this MSDN entry.

RevCode also features a very HQ startup that is totally not runtime detected!

I mean have you ever heard of the Run registry key? I haven’t. In addition to that, using “On Error Resume Next” is terrible practice (thanks to TazzyOpz for pointing this out).

Let’s look at the config decryption code now.

As we can see,  it is simply stored as a string and then decrypted. No checksums, no anti crack, no anti analysis whatsoever.

Let’s look at how Revcode handles their password recovery. Unfortunately the binary is no longer active, however we can still easily see how copy pasted their Password Recovery is straight from their site.

List of recovered email clients from the website:

List of recovered email clients from NirSoft’s site:

This blatantly violates NirSoft’s license against commercial usage of Nirsoft’s utilities.

So much for their legality efforts, now they are going to have to deal with copyright issues as well.

Next, I was about to write a memory scanner that detects RevCode and removes it, however apparently they provided the tool themselves LOL? It could be downloaded from hxxps:// and is also coded in VB6. So much for their self proclaimed C/C++ stub, VB6 base and .NET modules are found all over the places.

The memory signature provided by Revcode themselves:

Summary: Boring copy pasted VB6 malware that claims to be in “C/C++”, also has .NET dependencies for some modules. Provides a killer for self in an attempt to look legal but violates copyright laws so I guess not.

Comments ( 10 )

  1. dever maler
    very funny article thanks krabs greetings dalmev0
  2. fefe
    Fefe likes, great article mr krabs.
  3. Rawan
    I like the quality of the technical research of this article, but it seems as if you're madly attacking RevCode. I'm a happy customer of RevCode and after chatting a little bit with these guys, it turns out they don't want to make their tools too stealth, with respect to startup-keys and encrypting hard-coded strings, for example. That second picture of that statement made by someone on HF is not a Revcode staff member. I first though "stenhammar" was a staff member when I PM the guy when their server was offline a while ago, and was told that he is just a customer. I've reviewed and followed their posts and I think it's fair to say that RevCode has actually never made any statement suggesting that it was coded in C++. The seller goes behind the HF nick "Revcode" on HF. I'm using RevCode myself to spy on 2 of my own laptops. The tool easily lets you turn your laptop webcam into a spy-cam, quite expensive service, yeh, but it's worth it for me at least. 1. Where can we read more about the "Chairman attacks"?. Doesn't seem to be anything about that on the news at the time of writing. 2. Why are you assuming that a RAM dumper has to be used illegally? It's located under the menu "Forensics", which I find very appropriate. 3. Why would they be using "anti-crack" or "anti-analysis"? We customers can protect that if we want, but it's not needed for me at least. I don't really care, I just want to be able to use this amazing service from the web browser on my phone instead of having to use a software and forwarding ports, etc. I'm in for the legal usage, so I'm happy as long as it works. PS: Those .NET dependencies seem to belong to a .NET Crypter
    • Mr. Krabs
      1. Go ask the guy on twitter, not me, he's a reputable member of the infosec community. 2. RAM Scraper 99% are used for PoS malware. 3. Because anti crack is something that you should have? lol? Revcode == very poorly written malware, end of story.
  4. Almighty Allah
    >Not using vim.
    • Bull.
      Fuck off, BIOS.
      • Almighty Allah
        I buy your bots everyday why do you treat me like so?
        • Bull.
          Dude, shut the fuck up. Use notepad(not ++) or gtfo. Moron.
          • Almighty Allah
            I coded notepad in vim
          • thugger
            you retarded nitwit shutup bitch ass,i smack ur head on a stone if i get u