Response to Checkpoint Research’s allegation about our company
News
1 Comment

In a recent article written by Checkpoint Research, BreakingSecurity has been accused to support illicit abuse of our software via a third party retailer who has been selling some external products alongside Remcos.
We have also been accused to be the same company of the retailer, forging a double identity in order to provide encryption service to our software and facilitating abuse.

However, as we will demonstrate in this answer, these accusations are wrong.

First of all, our company has never been interested in supporting the abuse of our cybersecurity programs (proofs below).
As is clearly highlighted on our site, and also on the article itself, we never provided in our website a tool that could be used to make Remcos undetected to security software.
Also, we never provided any support on our official website and telegram channel about abusing our software in any way.
We do not sell our products on any blackhat or hacking forum.

Any customer manifesting any illegal intention of using our software has had his license banned (proofs posted below).
Any report sent to us regarding any illegal usage of our software has been investigated and the responsible user had his license banned (proofs posted below).

We also have developed CyberGuard, an Anti-Malware application, which we sell on our own site.

The article focuses on one of our software, Remcos.
Remcos is a versatile surveillance and cybersecurity tool, and as such is used in many different scenarios.
We have many customers and companies that use our products and services in various cybersecurity fields.
For example, Remcos is widely used as a tool for red teaming, pen testing, legitimate surveillance, but also for administering many machines from a single control point, for creating a proxy, and much more.

We are aware that Remcos, like most cybersecurity and pentesting tools, has risks.
Many other cybersecurity tools such as Cobalt Strike, Metasploit, Flipper Zero, many VPNs, and many other software or services have been abused to the detriment of the developers’ intentions, even though their company, like ours, has never sold their products with the purpose of being abused.
We do not provide any products on our site that allow users to bypass the protection of antivirus software: so users can only use Remcos on computers on which they have explicit consent and access to install it.

We have in place various measures to contain abuse, and every single report sent to us regarding the abuse of one of our products was immediately investigated and the relevant license immediately blocked (proofs below); not allowing the use of our product to customers who did not comply to our terms of use that they accepted before purchasing the software.

On our website, we also publicly provide a free standalone Remcos Uninstaller tool to detect and remove Remcos installations on a system.
The tool can also generate a report for us to identify the associated license and block it in case of abuse.
 
Published on our website, we also have a dedicated email inbox to immediately monitor any abuse report of our software: abuse@breakingsecurity.net
We never received a single report or sample from Checkpoint or any communication regarding any abuse.
Otherwise we would have taken immediate action.
 

Various proofs of support tickets, showing that we enforce legal usage both in public and in private, and we ban any suspicious license and user: 

 

 

 

 

 

 









 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

As we can see from the ticket dates, we always enforced legal usage of our software, long before any article about us was posted.
Now let’s show some examples from our Telegram Group.

Telegram Group:

 
There is a comprehensive list of our posts in our telegram group which clearly shows we blocked any suspicious activity and question from users from the start.
Note that some of the related users messages was deleted by us, as we moderate any message who could manifest suspicious intentions.

Some of the related posts:
https://t.me/BreakingSecurity_Group/7793
https://t.me/BreakingSecurity_Group/154
https://t.me/BreakingSecurity_Group/98
https://t.me/BreakingSecurity_Group/1977
https://t.me/BreakingSecurity_Group/8029
https://t.me/BreakingSecurity_Group/8440
https://t.me/BreakingSecurity_Group/7464
https://t.me/BreakingSecurity_Group/6363
https://t.me/BreakingSecurity_Group/5855
https://t.me/BreakingSecurity_Group/5858
https://t.me/BreakingSecurity_Group/5492
https://t.me/BreakingSecurity_Group/5369
https://t.me/BreakingSecurity_Group/3071
https://t.me/BreakingSecurity_Group/2281
https://t.me/BreakingSecurity_Group/2182
 
The article focuses on the actions of an employee of ours along with an external retailer. This employee was hired to help us with customer support, helping customers with software installation in their own systems, analyzing new malware variants found in the wild, and marketing our products by helping us manage some sales and support channels, such as the Telegram group mentioned in your article.
Along with other marketing strategies, it was proposed by our employee to allow a third-party company (VGOstore) to resell our products, as long as they followed our same conditions of use. To verify the reliability of the retailer, we requested a company registration certificate from VgoStore, which was provided to us.
The document sent to us certifies that our reseller has a business in Jordan based on the sale of products online.
We have received other similar requests in the past, but they were always rejected by BreakingSecurity because the reseller had not passed our verification.
 
The relation between BreakingSecurity and VgoStore was just a one between a developer and an external retailer.
We couldn’t investigate in depth the internals of his business, or which other tools he was providing, such as the encryption service, which we are not related to:
This is because the software and services offered on his platform were periodically changing and being updated.
We however verified that our reseller had a registered company in the trade of online software.
 
And, despite the title of the article, we aren’t related to “Guloader” neither “CloudEye” nor we developed these software in any way.
We are not sure where the alliance mentioned in the title of the article is. 
This external reseller was providing our software along with software unrelated to us on the same platform, for their own income unrelated to us.
We doubt VgoStore is the developer of any software sold on their platform.
 
We were aware that our employee also helped this company (VgoStore) with some of their work, hence the reason why he had access to the dashboard of this retailer’s site.
However, BreakingSecurity is not aware of the details of the job tasks conducted by our employee in his side job for an external business. 
The work conducted by our employee with VgoStore was conducted by him personally on his own behalf, without any relationship to the rest of BreakingSecurity.
Our employee worked for VgoStore by helping him with WordPress development, recording some videos, and helping him with his telegram channel.
As we can see in the article, our employee was using his own personal Youtube channel, not the one of BreakingSecurity.
BreakingSecurity was not aware of the internal details of VgoStore or their earnings, as they are a company external to ours.
BreakingSecurity’s only profits derived from VgoStore were licenses of our products sold to it as a reseller.
The other income shown in your article is in no way related to BreakingSecurity, but only to VgoStore, of which we are not a part.
 

Regarding the claim that our company and VgoStore are the same one, or that our employee and Vgo are the same person using different accounts:
We asked our retailer VgoStore to provide clear proof to show that

  1. We are not the same company
  2. Our companies are managed by different people
  3. Our businesses do not share income.
    BreakingSecurity did not receive any income from the sale or support of any encryption tool or any other service provided on the VgoStore platform.
  4. The relationship between BreakingSecurity and VgoStore was just the one between a developer and a retailer;
    BreakingSecurity didn’t manage which other software or services were provided in this external platform.
    Before allowing resale of our software, we however verified that our reseller had a registered company in the trade of online software.
  5. The work conducted by our ex-employee with VgoStore was done on his behalf and outside of BreakingSecurity.

In this video recorded by VgoStore and provided upon our request, showing old chats by him and our employee, all the above points are clearly proved:

 
Then, we also asked our retailer to provide evidence that he was not selling our software to suspicious users.
Proof of this in private chat conversations:

 
Our employee as well was enforcing legal usage in private chats with customers who manifested suspicious intentions.
He provided us with evidence regarding old conversations with customers:

 

Regarding data and samples displayed in the article in one of the servers used by our employee:
Our employee routinely used virtual servers to analyze and test new malware variants, as well as samples found in the wild.
This does not mean that the same malware was used for malicious purposes by us.
As cybersecurity researchers, we collect many different pieces of code, but this does not mean we are going to use them nefariously, but only for the purpose of study and subsequently updating our own solutions.
BreakingSecurity does not provide or sell any server, crypter or any other software except the ones found on the official BreakingSecurity.net platform.
Servers used by our employee were not purchased, monitored nor used by BreakingSecurity, but were just provided by clients for testing, while other servers were used internally for testing and analysis or sold by VgoStore to clients that presented themselves as cybersecurity customers.
It is worth noting that our employee was tasked, during his external job for VgoStore, into helping customers with software installation in their own servers, via remote support sessions. So he didn’t own some of the servers displayed in the article, and could not know what other tools were installed on these servers or how these servers were going to be used by customers.

Our employee provided us a record of an old conversation with the customer which sent him a sample (formbook). The same customer was the owner of the Formbook panels.
The conversation proves that there is no relation between our employee and the malware campaigns mentioned in the article, neither that our employee was the owner of this server and Formbook.
 

 
Following our internal investigation, we have taken the following actions:
 
1) We have terminated all relationships with the VgoStore company, as they provided external tools which could lead to abuse if used in combination with Remcos.
They no longer have the ability to present or resell any of our products, and all of our products have been removed from their sales platform.
 
2) Our employee who collaborated with VgoStore has been removed from our company.
This decision has been taken in mutual accordance among both parties (BreakingSecurity and our ex-employee), after a discussion about the situation.
 
We are available to analyze any sample and report regarding incorrect use of our products.
We invite you to contact us should there be any evidence of abuse of our software or need any clarification.
Remcos is a multi-purpose tool for surveillance, red teaming and cybersecurity, and is used by many customers for entirely legitimate purposes, and we will not allow the abuse of our products by few to tarnish the reputation of us and our products.
 
Best Regards
The BreakingSecurity.net Administration

Read More & Comment
Remcos v4.9.2 Update
Remcos
No Comments

This update features an improved Proxy function.

🔩 Proxy: Speed optimizations.
🔩 Proxy: Fixed error which caused high CPU usage on proxy.
🔩 Proxy: Fixed Agent crash in some cases.
🔩 Remcos Controller: Added check if Remcos is being executed from the zip without being extracted.
✅ Note: There is no need to update your remote Remcos Agents, as all the improvements were done on Remcos Controller or in plugin modules.

Full Remcos Changelog here.

Read More & Comment
Remcos v4.9.1 Update

This update features an improved Cookie Recovery, the addition of a new AutoTask (Write registry value),
and various error fixes.

➕ AutoTasks: New AutoTask added: Write Registry Key
🍪 Cookie Recovery: Added support for Edge profiles
🍪 Cookie Recovery: Added support to latest Chrome browser update
🍪 Cookie Recovery: Fixed not getting cookies from some Chrome profiles
🔩 Stability: Fixed Remcos Controller errors when using Remcos inside a Remote Desktop Protocol controlled machine, after restarting a RDP session.
🔩 Stability: Fixed Access Violation error in Remcos Controller in rare cases when using Screen Preview.
🔩 Control Center: Fixed GUI multithread error occurring in rare cases.

Full Remcos Changelog here.

Read More & Comment
Remcos v4.9.0 Update

This update improves the File Manager in many ways.
Performance when browsing and loading remote directories is now 4 times faster!
Thanks to this performance boost, folders with thousands of files can be loaded much more quickly.

Zip related functions (Zip, Unzip, Zip & Download) have been improved for better performance and stability:
Zipping or unzipping files or folders is now twice as fast as before!

File Manager stability has been also improved by fixing some resource leaks.
Fixed also some errors which made Remcos Agent or Controller crash when using File Manager.

Some quality of life improvements have also been added,
such as the auto-sorting of processes when opening Process Manager or Network Monitor.

⚡️ File Manager improved performance:
Listing files in a directory is now 4x faster!

🗜   Zip module improved performance:
With the new improved Zip module, zipping or unzipping is 2x faster!

🗜   Zip plugin optimized size:
230 kb older, vs 154 kb newer, for faster transmission to Remcos Agent.

➕ File Manager: Added Refresh shortcut button in toolbar

🔩 Zip Plugin improved stability: Fixed Remcos Agent crash when compressing folders with a large number of files.

🔩 File Manager: Fixed Unzip function not extracting subdirectories.

🔩 File Manager: Fixed resource leak causing Remcos Controller to crash, freeze, or show errors after browsing folders with many thousands of files.

🔩 File Search: Fixed resource leak.

🔩 Process Manager: Items are now automatically alphabetically sorted when opening form.

🔩 Network Monitor: Items are now automatically alphabetically sorted when opening form.

✅ Note: There is no need to update your remote Remcos Agents, as all the improvements were done on Remcos Controller or in plugin modules.

Full Remcos Changelog here.

Read More & Comment
Remcos v4.8.1 Update

This update solves some errors which were mainly affecting Windows Servers and RDP users.
The fixes are Controller-side only so there is no need to update your Remcos agents.

🔩 ScreenCapture:
Fixed error which caused frames not showing and memory leak.
Mostly happening in Windows Server 2012.

🔩 AutoTasks:
Fixed “Invalid Window Handle” error when using AutoTasks.
Error was happening when using Remcos inside a RDP system after doing a RDP relogin.

🔩 Other minor fixes.

Read Full Changelog here.

Read More & Comment
Remcos v4.8.0 Update

🌐 Added Network Monitor function:
Remcos Network Monitor provides a new level of monitoring and security for your devices.
Network Monitor shows any active connection from any process.
Details of any connection are clearly displayed.
With Network Monitor you can easily investigate suspicious connections and take action on suspicious processes.

⚙️ Improved Process Manager:
Now able to retrieve and show full paths of almost any process.

⚙️ Improved Window Manager:
Now able to retrieve and show full paths of almost any process.

🌍 Improved Geolocation:
More accurate geolocation for some agents.

🎨 Proxy: Form GUI fixes.

Read Full Changelog here.

Read More & Comment
Remcos v4.7.2 Update

📊 Improved Sorting of Agents:
Column sorting has been improved so you can easily sort your agent list by any column (latency, installation time, system uptime, idle time, RAM etc.).
You will be easily able to sort your agents from the fastest to slowest one (by latency, for example), or sort them by any parameter you want.
Just click on the column header and your agents list will be sorted.

🛑 Improved IP Blacklist:
Added option to avoid logging repeated connection attempts from blacklisted IPs.
Can be useful to avoid spamming the event log with multiple connection attempts from same IP.

🎨 Minor GUI optimizations:
Added some useful text hints in the Agent Builder.
Rearranged some components in Local Settings.

Read full changelog here.

Read More & Comment
Remcos v4.7.1 Update

🖥️ Improved Screen Capture:
Improved performance and smoothness thanks to multithread optimizations.

📷 Improved Camera:
Improved performance and smoothness thanks to multithread optimizations.

⚡ General performance: Improved performance of  Remcos Controller and of preview screen thanks to multithread optimizations.
🔩 Screen Capture: Fixed screenshot tool sometimes generating 0 byte files.
🔩 Screen Capture: Fixed resource leak when saving screenshots.

Read full changelog here.

Read More & Comment
Remcos v4.7.0 Update

🖥️ Improved Screen Capture:
Improved video codec to provide higher image quality and higher framerate.

⌨️ Improved Keylogger:
Now possible to start and stop offline keylogger anytime.
Various GUI improvements and optimizations.

🪟 Improved Window Manager:
Improved Unicode compatibility.
Fixed error in Controller when window titles contained some unicode characters.

📷 Improved Camera:
Fixed some multithread errors in the Controller when viewing multiple cameras or when saving multiple screenshots.

💉 Improved Process Injection:
Minor optimizations.

🛠️ Improved Agent Builder:
Minor optimizations.

🔩 Other optimizations and error fixes:
Various other minor improvements, optimizations and error fixes in Remcos Controller.

⚠️Compatibility Notes:
Old Agents are compatible with new Controller.
However, with old agents you won’t get any advantage of the new Screen Capture codec.
The old codec will be automatically used on old Agents.
Also, it will not possible to start and stop offline keylogger on old agents.
It is recommended to update your Agents to latest version to get advantage of all the new improvements.

Read full changelog here.

Read More & Comment
Remcos v4.6.0 Update

↪️ DNS Redirection
With the new DNS Redirection function, you can block and redirect websites and hostnames.
The function places a system-wide redirection, so it works with any browser and program.

🔘 Toolbar
Added button to show/hide shortcut keys in function menu (The same option can be also set in Local Settings -> Preferences as before).

🎨 Various GUI improvements and adjustments
for a better user experience and to better fit any screen with any DPI scaling. Tidier user interface.

🔩Fixed error when using “Display Offline Agents” mode: same agents were reconnecting as a new agent. (error introduced in v4.5.0)

🔩 Other minor error fixes

Full Changelog here.

Read More & Comment
Menu