{"id":1545,"date":"2024-09-24T10:20:54","date_gmt":"2024-09-24T10:20:54","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1545"},"modified":"2025-07-29T07:19:19","modified_gmt":"2025-07-29T07:19:19","slug":"analysis-of-revenge-rat-campaign","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-revenge-rat-campaign\/","title":{"rendered":"Analysis of Revenge RAT Campaign"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Revenge RAT is a Remote Access Trojan (RAT) that is known to be a relatively straightforward and openly accessible malware. As reported by LMNTRIX CDC, this particular RAT has the capability to collect system information autonomously, enabling malicious actors to gain remote access to targeted systems. Once compromised, the attackers can take control of various components, including webcams, microphones, and other utilities present in the system.<\/p>\n\n\n\n

Infection Chain<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Target \u2013<\/strong> MS Windows Platform<\/p>\n\n\n\n

Language Used \u2013 <\/strong>.NET Language<\/p>\n\n\n\n

Infection Vector \u2013<\/strong> Spear phishing e-mails<\/p>\n\n\n\n

<\/p>\n\n\n\n

Source Code Analysis of Revenge RAT<\/h3>\n\n\n\n

Revenge RAT initially showed up in mid-2016, and the RAT was written in .NET language. The code of the Revenge RAT that we extracted is unpacked (not packed\/obfuscated). The many classes and methods found in the decompiled code are described here for better understanding.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

One of the main objectives of many threat actor groups is to introduce persistent malware onto a business network, and they are continuously seeking for new ways to accomplish this. However, there are occasions when tried-and-true methods work best.<\/p>\n\n\n\n

Researchers from LMNTRIX have been monitoring the activities of one threat group that targets financial services firms and governmental organizations with high-quality spear phishing emails in order to install a “modified version” of the well-known Revenge RAT and exfiltrate a range of sensitive data. For a long period of time, many different sorts of threat actor groups have used remote access trojans (RAT) as common tools for gaining initial access.<\/p>\n\n\n\n

They frequently come with a wide range of features and provide an attacker one of the things they most desire: ongoing remote access to a target network.<\/p>\n\n\n\n

Examples \u2013 From Revenge RAT\u2019s source code analysis by LMNTRIX,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Many Remote Access Trojans have been marketed extensively in a range of underground sites, while others are built for the exclusive use by one individual or group and never made public.<\/p>\n\n\n\n

Sometimes a piece of malware’s source code is also made available to the public, as was the case with the Revenge RAT. Having access to the source code enables attackers to make changes that can both increase the malware’s potency and help it get past security measures, it gives us all the more reason to “study” and analyse Revenge RAT from time to time.<\/p>\n\n\n\n

Main Function \u2013 declaration, compiler and imported libraries,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Code for Date, Time & Geolocation \u2013 Enumeration,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Local System Enumeration by Revenge RAT,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Code for Keylogger functionality,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Code for Password list being exported,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Code for Wireless AP Enumeration,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Code for Revenge RAT Clients (list), and plotting location on Google maps,<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Sample Information<\/strong><\/p>\n\n\n\n

Threat Name: Revenge RAT | Classification: Remote Access Trojan \/ Injector<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Technical Analysis of the Revenge RAT sample,<\/h3>\n\n\n\n

A PPT file, which stands for PowerPoint Presentation, is a format primarily associated with Microsoft PowerPoint, a popular software used for creating presentations. PPT files consist of slides that can contain a variety of elements such as text, images, charts, tables, multimedia (audio or video), animations, and transitions. They enable users to develop visually engaging and interactive presentations suited for diverse purposes like business meetings, educational lectures, training sessions, and more.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

MS Powerpoint – Security Notice Window – VBA Macro Code<\/strong><\/p>\n\n\n\n

These files are typically saved in a binary format and can be accessed and modified using Microsoft PowerPoint or compatible software like Google Slides or Apple Keynote. PPT files have gained widespread acceptance as the standard format for crafting and sharing presentations, owing to their extensive usage and compatibility across multiple platforms and operating systems.<\/p>\n\n\n\n

PPT Embedded file Structure<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It’s important to note that embedding files can increase the overall size of the PPT file, so it’s important to consider the file size and compatibility when sharing or distributing presentations with embedded files.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Embedded file – Randomized folder> asdwede3f Compobj<\/strong><\/p>\n\n\n\n

Attribute VB_Name = “asdwede3f<\/strong>“<\/p>\n\n\n\n

Attribute VB_Base =<\/p>\n\n\n\n

“0{7B62F3DE-0C0F-4C64-A532-883B3E7891E5}{4D17EC23-B7E9-4A3D-921E-4C14D1AF354E}”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Here we can see the PowerShell command which invokes the web request and quite it\u2019s a long string. Also, it\u2019s base64 encoded and below we can see the decoded values.<\/p>\n\n\n\n

Generally, Base64 encoding is a way to represent binary data in ASCII text format. It is mainly used to encode data for transmission over networks or to store data in a text format.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Similar Executable Parent files<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Indicators of Compromise [IOC] for Revenge RAT,<\/strong><\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Appendix A \u2013 Functions available within the Revenge RAT (source),<\/strong><\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Appendix B – MITRE ATT&CK Tactics & Techniques for Revenge RAT,<\/strong><\/h3>\n\n\n\n
ID<\/td>Tactic<\/td>Technique<\/td><\/tr>
TA0001<\/td>Initial Access<\/td>Spearphishing Attachment<\/td><\/tr>
TA0002<\/td>Execution<\/td>Windows Scripting – .PPT (or) .PPAM Exploitation for client Execution<\/td><\/tr>
TA0003<\/td>Persistence<\/td>Registry Run Keys \/ Startup Folder<\/td><\/tr>
TA0004<\/td>Privilege Escalation<\/td>Scheduled Task Process Injection<\/td><\/tr>
TA0005<\/td>Defense Evasion<\/td>Modify Registry Virtualization and Sandbox Evasion Technique Obfuscated file or Information<\/td><\/tr>
TA0006<\/td>Credential Access<\/td>OS Credential Dumping LSASS Memory<\/td><\/tr>
TA0007<\/td>Discovery<\/td>System Software Discovery Process Discovery File and Directory Discovery Query Registry<\/td><\/tr>
TA0008<\/td>Lateral Movement<\/td>Remote file copy<\/td><\/tr>
TA0009<\/td>Collection<\/td>Archive Collected Data Clipboard Data Data from Local System<\/td><\/tr>
TA0011<\/td>C&C Server<\/td>Encrypted Channels Web Protocols – Standard Application Layer Protocol Data Obfuscation<\/td><\/tr>
TA0012<\/td>Network Effect<\/td>Eavesdrop on insecure communication network channel Exploit SS7 for Redirection & Tracking Device Location<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

Revenge RAT is a Remote Access Trojan (RAT) that is known to be a relatively straightforward and openly accessible malware. As reported by LMNTRIX CDC, this particular RAT has the capability to collect system information autonomously, enabling malicious actors to gain remote access to targeted systems. Once compromised, the attackers can take control of various […]<\/p>\n","protected":false},"author":1,"featured_media":1739,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1545","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1545"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1545\/revisions"}],"predecessor-version":[{"id":4404,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1545\/revisions\/4404"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1739"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}