VenomRAT & RemcosRAT: february 2024 update

Between January and February 2024, the following configurations of VenomRAT and RemcosRAT and the process killing library RumpeDLL were found uploaded to the host 45.XX.XX.XX 

From 23 January 2024 onwards, uploads and modification timestamps of RAT malware configuration files uploaded to the distribution host can be seen. This distribution session is subsequent to the article published on Swascan blog in October 2023, published at the following link:  

There is an attempt by the malcoders to encode the uploaded threats in Base64 + Reversed text format and substitute different character types within the “raw” data of the distributed Portable Executables in order to make decoding more complex. These characters are then correctly replaced by the RumpeDLL DLL library, which is also on board the malware delivery server. 

The public IP address in question is a VPS (Virtual Private Server, a system instance running in a virtual environment) registered by Masterdaweb[.]com, cloud computing services that can be used in Brazil for file hosting and delivery, in this case. An element of note is the fact that the RemcosRAT sample disseminated through this VPS was compiled in November 2023, while for VenomRAT the sample was compiled in March 2021, so for the latter there was mostly an update of the distribution activity.  

RAT threats have the main objective of carrying out malicious remote management activity towards the compromised machine and, in some cases, stealing credentials, sensitive user data, and installing additional threats, such as ransomware threats and keyloggers

For further analysis:

Botnet & Infostealers: Financial Threat Landscape 2023
ChatGPT Ransomware: analysis of the source code

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.