{
	"id": "fc22e484-b9ff-4251-890b-200b174f23a5",
	"created_at": "2026-04-06T00:22:29.356592Z",
	"updated_at": "2026-04-10T13:11:32.288041Z",
	"deleted_at": null,
	"sha1_hash": "f05b20c890f1c9983dca6b27b95ef6506ff4f5d7",
	"title": "Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3086262,
	"plain_text": "Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service\r\n(C2aaS)\r\nBy Mike Harbison, Simon Conant\r\nPublished: 2018-04-13 · Archived: 2026-04-05 20:23:19 UTC\r\nWhile looking at commodity RATs currently offered on underground forums, we came across “WebMonitor”, on\r\nthe market since mid-2017. We noticed that while detection was high for most anti-virus vendors, all tagged it\r\nwith only generic detection. At this point we realized that although this malware had been around for almost a\r\nyear, we were looking at a hitherto-undocumented commodity RAT.\r\n  For Sale\r\nCommodity RATs are typically peddled on underground forums and come and go with new offerings springing up\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 1 of 14\n\nto replace those taken down by law enforcement actions.\r\nFigure 1 – WebMonitor RAT Forum sales thread\r\n \r\nWe first observed apparent tests of this RAT in late February 2017. In May 2017, “Revcode” advertises his RAT\r\n“WebMonitor” at hackforums[.]net (Figure 1) for €14.99 - €29.99 (Figure 2):\r\n“[#1 Web RAT, CONTROL FROM WEB BROWSER, No PORTFORWARD, KEYLOGGER, + VPN]”.\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 2 of 14\n\nFigure 2 – Editions of WebMonitor RAT sold at three different pricepoints.\r\nIn addition to forum sales thread, Revcode’s main sales and support site is at revcode[.] eu (Figure 3).\r\nFigure 3 – Screenshot of revcode[.]eu advertising WebMonitor\r\nFeatures\r\nOn the server-side, WebMonitor offers an included VPN and C2 service (discussed in detail later in this report),\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 3 of 14\n\nwith a web-based interface (Figure 4).\r\nFigure 4 - Web-based C2 interface\r\nWebMonitor offers two interface options: the original “Lite” version, and a slicker interface in the “Enterprise”\r\nversion.\r\nA list of features is provided at the site, some of which stretch the guise of a legitimate administration tool:\r\n \r\nApplications\r\nApp crash log\r\nInjected DLLs list\r\nInstalled codes list\r\nLoaded DLLs list\r\nOverview\r\nBluetooth\r\nBluetooth log view\r\nBluetooth view\r\nBrowser\r\nAddons list\r\nHistory\r\nImage cache\r\nCredentials\r\nBrowser\r\nPasswords\r\nMail\r\nAll clients\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 4 of 14\n\nMessenger live\r\nAll clients\r\nNetwork\r\nNet pass\r\nWifi key view\r\nSystem\r\nKeys\r\nFilesystem\r\nDisk smart view\r\nFile browser\r\nRecent files list\r\nForensics\r\nHarddrive operations\r\nPhysical RAM dump\r\nKeyboard\r\nHarddrive operations\r\nPhysical RAM dump\r\nMessengers\r\nHarddrive operations\r\nPhysical RAM dump\r\nMonitor\r\nHarddrive operations\r\nPhysical RAM dump\r\nNetworking\r\nNet route view\r\nTCP analyze\r\nURL protocol view\r\nUser profiles view\r\nWiFi info\r\nWiFi channel monitor\r\nWiFi history\r\nWireless networks\r\nWireless watcher\r\nRuntime\r\nBlue screen log\r\nTurned on times\r\nSystem\r\nBattery info\r\nConnections\r\nDevice manager\r\nDrivers\r\nFirmtables\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 5 of 14\n\nHardware manager\r\nInformation\r\nInternal activity\r\nMUI cache\r\nProcess manager\r\nRemote registry\r\nRemote shell\r\nSecurity software list\r\nServices\r\nStartup view\r\nWin logon activity\r\nWindows list\r\nWindows update list\r\nWebcam\r\nSnapshot\r\nStream Webcam\r\nA recent development, in January Revcode partner “Softpatch” offers an Android RAT client, posting the source\r\ncode at Github.\r\n \r\nWebMonitor Client\r\nThe WebMonitor client (ie: the RAT) is written in Visual Basic 6 (VB6) and packed with UPX.\r\nIt installs to users\\%USERNAME%\\AppData\\Roaming\\REVCODE-***.EXE,\r\nwhere **** is a random 4-digit hex value.\r\nFor persistence it creates a registry key under\r\nx86: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \r\nx64: HKCUU\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run) (Figure 5), similarly appending\r\nusing the same 4-digit value.\r\n \r\nFigure 5 - Persistence registry key\r\nAlong with the C2-as-a-Service, the client builder is designed for ease of use, with a focus on simplicity. Along\r\nwith deciding whether a pop-up is displayed – or not – the customer can decide whether the client should run at\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 6 of 14\n\nstartup, and if the process should restart if terminated (Figure 6).\r\nFigure 6 - Client Builder Interface\r\nRevcode partner (or alternative forum account) attempts to claim legitimacy “We have to follow the laws and\r\ntherefore have to display installation dialogs. However, we can't help if people bypass that by cracking or\r\npatching the executable.” But then contradicts himself in fact, with the builder option to NOT create an\r\ninstallation pop-up, and “The reason why me made it possible in a way to bypass the dialog is when customers\r\nwant to update their clients. We don't find it necessary to reproduce the installation dialogs.”.\r\n  C2aaS\r\nAs previously seen in Quaverse RAT / QRAT, WebMonitor offers Command-and-Control (C2)-as-a-Service\r\n(C2aas). Customers don’t have to (in fact, can’t) run their own C2 system, it’s provided for them. WebMonitor\r\nC2s to virtual-hostnames, apparently unique to each customer, at one of two root C2 domains. Although C2\r\ncommunication is over HTTPS, an obvious downside to such a C2 domain architecture is that the C2 traffic is\r\neasily detected and blocked based upon the domains.\r\nWebMonitor customers access their C2 web interface via user-specific virtual hostnames at the host C2s (Figure\r\n7).\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 7 of 14\n\nFigure 7 - C2 Virtual Hosts\r\nThe original C2 domain was the same as the sales website, revcode[.]eu. In late July 2017, a second root-C2 was\r\nbrought online, wm01[.]to (“\r\nW\r\neb\r\nM\r\nonitor”).\r\n  DNS \u0026 Coin Mining\r\nStarting in samples first observed late-November 2017, in addition to DNS lookups for the C2 as described above,\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 8 of 14\n\nthe RAT clients also performed multiple lookups for non-existent domains (Figure 8).\r\nFigure 8 - NXD and Monero Mining Pool DNS lookups\r\nThese take the form \u003cusername\u003e.\u003c8_char_hex_value\u003e.to. No domains in any observed samples using this\r\ntechnique actually exist, and as such the DNS “NXD” (non-existent domain) response has no obvious C2\r\nfunction.\r\nIt is possible that this is may be a yet-to-be-implemented Domain Generation Algorithm (DGA) implementation,\r\notherwise possibly a clumsy and ineffectual effort to attempt to camouflage the genuine C2 DNS lookup among\r\ninvalid ones.\r\nOne of the very first samples observed using this new technique also contacted a Monero Mining Pool server\r\npool1.minexmr[.]com, as seen in Figure 8 above. This may have been the author testing rather than a feature\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 9 of 14\n\nreleased to his customers, as we only observed this once in the wild. Monero mining is hardly representative of a\r\nfeature of a “legitimate remote administration utility”.\r\n  RAT Customers and Targets\r\nRevcode[.]eu is observed being used less often in recent months, in favor of wm01[.]to, with some samples\r\ncontacting both. At time of writing, we understand those to be the only two domains used by WebMonitor’s C2-\r\nas-a-Service. Based upon analysis of passive DNS records, we observed just under 100 virtual hosts under the two\r\ndomains, giving an indication of the relatively small number of customers. To date Palo Alto Networks has\r\ncollected just over 500 distinct samples of WebMonitor.\r\nFigure 9 - Verticals\r\n \r\nThe apparently-small number of customers and the “commodity” nature of this malware, with a modest price tag,\r\nmight suggest an innocuous threat. However, using AutoFocus, we have observed over 2000 WebMonitor\r\ninfection attempts against Palo Alto Networks customers across multiple verticals (Figure 9), worldwide (Figure\r\n10).\r\nFigure 10 - Global distribution of targets\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 10 of 14\n\nAuthor\r\nThe domain revcode[.]eu has an in-the-clear, non-anonymized WHOIS (Figure 11). Several current and historical\r\ndomains are registered with identical information, some back to 2013. Research into the information in the\r\nWHOIS found corroborating information, identifying a 25-year-old from the state of Bavaria in southern\r\nGermany.\r\nFigure 11 – en-clar revcoce[.]eu WHOIS registration\r\nInterestingly, while WebMonitor has been marketed since May 2017, there has been no other formal analysis and\r\nwrite-up in the year that it has been sold. The tongue-in-cheek, Florida-based blogger “Krabs on Security” offers\r\nan analysis, but this hasn’t been picked up by mainstream malware researchers. She opines “a very very legal\r\nmalware backed by a .eu domain and a very very long Term of Service that was used in CEO Fraud, as seen\r\nbelow. Who would’ve thought such legal software being advertised on the benign forums dubbed “HackForums”\r\nwould be used for such notorious cybercriminal purposes?”. “Revcode” partner “SoftPatch” seemed slighted and\r\nwas quick to attack this analysis, pointing out in a forum post (Figure 12) multiple apparent inaccuracies.\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 11 of 14\n\nFigure 12 - SoftPatch fires back at krabsonsecurity\r\nAnd Revcode himself, despite the usual attempts at pretense-of-legitimacy seen in Commodity RAT sales, markets\r\nfeatures that have no utility for legitimate use: “perfectly compatible with all crypters and protectors”, “Privacy is\r\nour priority, so no logs are saved on our servers.”. Revcode partner (or alternative forum account” posts an\r\nexhaustive list of credentials that this RAT can recover “Here is a list of what kind of credentials RevCode is\r\ncapable of recovering”:\r\nWeb Browsers:\r\n* Internet Explorer 4.0 - 11.0\r\n* Mozilla Firefox - All versions\r\n* Google Chrome\r\n* Safari\r\n* Opera\r\n \r\nIM Clients:\r\n* MSN Messenger\r\n* Windows Messenger (In Windows XP)\r\n* Windows Live Messenger (In Windows XP/Vista/7)\r\n* Yahoo Messenger (Versions 5.x and 6.x)\r\n* Google Talk\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 12 of 14\n\n* ICQ Lite 4.x/5.x/2003\r\n* AOL Instant Messenger v4.6 or below, AIM 6.x, and AIM Pro\r\n* Trillian\r\n* Trillian Astra\r\n* Miranda\r\n* GAIM/Pidgin\r\n* MySpace IM\r\n* PaltalkScene\r\n* Digsby\r\n \r\nEmail Clients:\r\n* Outlook Express\r\n* Microsoft Outlook 2002/2003/2007/2010/2013/2016\r\n* Windows Mail\r\n* Windows Live Mail\r\n* IncrediMail\r\n* Eudora\r\n* Netscape 6.x/7.x (If the password is not encrypted with master password)\r\n* Mozilla Thunderbird (If the password is not encrypted with master password)\r\n* Group Mail Free\r\n* Yahoo! Mail - If the password is saved in Yahoo! Messenger application\r\n* Hotmail/MSN mail - If the password is saved in MSN/Windows/Live Messenger application\r\n* Gmail - If the password is saved by Gmail Notifier application, Google Desktop, or by Google Talk\r\n \r\nWindows Network Credentials:\r\n* Login passwords of remote computers on your LAN\r\n* Passwords of mail accounts on exchange server (stored by Microsoft Outlook)\r\n* Password of MSN Messenger / Windows Messenger accounts\r\n* Internet Explorer 7.x and 8.x\r\n* The passwords stored by Remote Desktop 6\r\n \r\nProtected Storage:\r\n* Outlook 97\r\n* Outlook 2000\r\n* Outlook XP, 2003, 2007, 2010, 2013, 2016\r\n \r\nProduct Keys:\r\n* Microsoft Windows XP, Vista, Server, 7, 8, 10\r\n* Microsoft Office 2000, 2003, 2007, 2010\r\n* Microsoft SQL Server 2000, 2005\r\n* Microsoft Exchange Server 2000, 2003\r\n* Visual Studio\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 13 of 14\n\n* Some of the Adobe and Autodesk products\r\n \r\nNetwork Credentials:\r\n* WiFi stored WEP and WPA keys\r\n* Remote Desktop credentials\r\n  Summary\r\nThe feature set of this RAT would afford an attacker significant access to and control of a victim. Fortunately,\r\nowing to the “C2aaS” model employed, detection of and prevention against WebMonitor C2 traffic is trivial.\r\nWebmonitor’s addition to the list of currently-marketed commodity RATs demonstrates their continued popularity,\r\nenabling successful attacks even in the hands of the unsophisticated attacker.\r\nWe predict that WebMonitor won’t last much longer, at least not with this model as the C2s are too easily\r\nidentified/blocked. Indeed, another aspect of this centralized model, having the hosted service create each client\r\nfor customers, might put the author’s hands on every one of the malware samples in the eyes of the law.\r\n  Coverage\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\n1. WildFire accurately identifies WebMonitor RAT samples as malicious.\r\n2. Traps prevents this threat on endpoints, based upon WildFire prevention.\r\n3. WebMonitor root C2 domains are flagged as malicious in Threat Prevention.\r\nAutoFocus users can view WebMonitor RAT samples using the “WebMonitorRAT” tag.\r\nIOCs can be found in the appendices of this report.\r\n  Appendices - IOCs\r\n  Appendix I – C2 domains\r\nrevcode[.]eu\r\nwm01[.]to\r\n  Appendix II – Sample hashes\r\nHashes of WebMonitor samples can be found here.\r\nSource: https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/"
	],
	"report_names": [
		"unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas"
	],
	"threat_actors": [],
	"ts_created_at": 1775434949,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f05b20c890f1c9983dca6b27b95ef6506ff4f5d7.pdf",
		"text": "https://archive.orkl.eu/f05b20c890f1c9983dca6b27b95ef6506ff4f5d7.txt",
		"img": "https://archive.orkl.eu/f05b20c890f1c9983dca6b27b95ef6506ff4f5d7.jpg"
	}
}