Between January and February 2024, the following configurations of VenomRAT and RemcosRAT and the process killing library RumpeDLL were found uploaded to the host 45.XX.XX.XX 

From 23 January 2024 onwards, uploads and modification timestamps of RAT malware configuration files uploaded to the distribution host can be seen. This distribution session is subsequent to the article published on Swascan blog in October 2023, published at the following link: https://www.swascan.com/it/venomrat-darknet-analisi-malware/.  

There is an attempt by the malcoders to encode the uploaded threats in Base64 + Reversed text format and substitute different character types within the “raw” data of the distributed Portable Executables in order to make decoding more complex. These characters are then correctly replaced by the RumpeDLL DLL library, which is also on board the malware delivery server. 

The public IP address in question is a VPS (Virtual Private Server, a system instance running in a virtual environment) registered by Masterdaweb[.]com, cloud computing services that can be used in Brazil for file hosting and delivery, in this case. An element of note is the fact that the RemcosRAT sample disseminated through this VPS was compiled in November 2023, while for VenomRAT the sample was compiled in March 2021, so for the latter there was mostly an update of the distribution activity.  

RAT threats have the main objective of carrying out malicious remote management activity towards the compromised machine and, in some cases, stealing credentials, sensitive user data, and installing additional threats, such as ransomware threats and keyloggers. 

For further analysis: