A big amount of the malware out there are RAT (Remote administration tool) samples. This is software created by people specialized on it, people that develop, improve and sell their tools. It has capabilities that let the attacker spy on the victims with actions like screen capturing, keylogging, password stealing, command execution and remote access and controlling.

Clients of these services usually pay to gain access to the tools and additional services like support, zero or low antivirus detection.

Below is a description of such a service that AlienVault have been observing:

Clients pay for the service and then they gain access to a web portal where they can generate personalized Trojans, manage the infected victims via the web browser and host the malware on their “cloud”.

Creators promote itself as a service to remote control computers and “recover passwords”. This means that clients don’t have to mess with almost any technical issues, and they don’t need special skills or knowledge. The providers supply the tools, the hosting, and the Command and Control server.

When the client logins to their personal account they can see the main menu, tutorials and shortcuts.

The control panel uses HTTPS with a valid certificate. Then you can create a new personalized malware (Trojan) that will be generated in real time.

They take care of the antivirus detections for you. Created samples have a very low antivirus detection ratio (2/42).

Then the time to host the malware comes. Clients can choose between some fake domains that seem legitimate. The administrator of the service has bought two domains to create the fake subdomains.

Once infected, you can easily manage your victims. You can perform remote control on the machine, password stealing, and command execution. Malware communication with the C&C is done using HTTP.

This example shows that this easy to use framework to monetize malware is getting more and more popular on the Internet as they let people without technical skills easily manage their victims.