ETLM Attribution

            Identified IPs Hosting Remcos RAT:

            Our research team identified several IPs hosting Remcos RAT believe to be part of the campaigns where
            numerous  IPs  hosting  Remcos  RAT  and  other  malicious  files.  First  the  research  handle
            “@ULTRAFRAUD”  reported  the  IP  address  “141[.]95[.]16[.]111:8080”  hosting  several  malicious  files
            including a .bat script (recover.bat) and Remcos RAT binary (RiotGames.exe).






















            The IP address primarily serves as a delivery point for the Remcos RAT. The server is predominantly
            utilized  to  transmit  files  that  are  associated  with  the  Remcos  RAT,  including  both  the  malicious
            communication  payloads  and  the  downloaded  files,  which  consistently  manifest  as  variants  of  the
            Remcos RAT.







































            Cyber Defense eMagazine – October 2023 Edition                                                                                                                                                                                                          85
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.