Introduction

            Within  the  ever-evolving  landscape  of  cybersecurity  threats,  our  investigation  has  uncovered  a
            sophisticated ecosystem where the Remcos Remote Access Trojan (RAT) thrives. This ecosystem is
            supported by a diverse array of servers that function as command and control (C2) centres, orchestrating
            the distribution of Remcos RAT and various other malicious files to compromised systems. As part of our
            commitment to ensuring digital security, this report delves into a thorough analysis of the Remcos RAT,
            revealing a web of malicious IPs, intricate payloads, and techniques. By dissecting the modus operandi
            of this threat, we endeavour to equip organizations and individuals with the insights needed to fortify their
            defences against this persistent and sophisticated cyber menace.

            Remcos RAT (Remote Control and Surveillance RAT) is a type of remote access Trojan that facilitates
            unauthorized remote control and surveillance of compromised systems. It is malicious software designed
            to infiltrate computers, gain control over them, and exfiltrate sensitive data. Remcos RAT is typically
            spread through malicious attachments, drive-by downloads, or social engineering tactics. Since 2016,
            Remcos RAT has been in operation. Initially BreakingSecurity, a European company, introduced it in
            2016,  marketing  Remcos  as  legitimate  tool  for  remote  controlling.  Despite  the  security  company's
            assertion  that  access  is  restricted  to  lawful  intentions,  Remcos  RAT  has  now  become  a  commonly
            employed tool in various malicious campaigns conducted by threat actors.



            Key Points

               •  Our investigation uncovers several IPs hosting the Remcos RAT, with "141[.]95[.]16[.]111[:]8080"
                   serving as a prime example. This IP hosts malicious files, including a .bat script ("recover.bat")
                   and the Remcos RAT binary ("RiotGames.exe"). Our OSINT research reveals a surge in IPs
                   delivering Remcos RAT payloads over the past two months, with fresh IPs detected even in the
                   current month.
               •  The "recover.bat" script, executed upon infection, harnesses PowerShell to download the second-
                   stage payload ("RiotGames.exe") from a remote location.
               •  The  "RiotGames.exe"  binary  modifies  the  registry  to  disable  User  Account  Control  (UAC),
                   granting the malware elevated privileges. This tactic aims to evade UAC prompts and carry out
                   actions undetected. Additionally, the RAT establishes persistence by utilizing auto-run registry
                   keys.
               •  Extracted configuration data unveils critical details, including the C2 IP ("141[.]95[.]16[.]111"),
                   botnet name ("NewRem"), filenames, directories, and mutex name. This data guides Remcos
                   RAT's operation, which ranges from keylogging and audio recording to screenshot capture and
                   system manipulation.
               •  The  malware  incorporates  keylogging  and  audio  recording  capabilities,  capturing  desktop
                   screenshots in bitmap format. The data can be exfiltrated, raising concerns about the potential
                   exposure of sensitive data and credentials.
               •  We believe with low confidence that the campaign is targeting the gaming industry and individuals
                   involved in gaming.






            Cyber Defense eMagazine – October 2023 Edition                                                                                                                                                                                                          84
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.