Revenge RAT malware, a harmful piece of software being distributed by threat actors, has been developed using authentic and legitimate tools such as “smtp-validator” and “Email to SMS,” complicating its detection. When executed, the malware covertly runs a malicious file and a legitimate tool, making it hard for users to identify malicious activity taking place.
According to information shared with Cyber Security News, the distribution of Revenge RAT malware involves the creation of a file called “setup.exe.” This file is executed and concealed prior to the execution of “smtp-verifier.exe.” The process of executing the Revenge RAT malware involves the use of several files.
Once the “setup.exe” file is used to generate additional malware by creating and running “svchost.exe” in the path “%appdata%Microsoft\Windows\Templates,” it is assigned a hidden attribute. This “svchost.exe” file is then registered in the autorun registry by the “setup.exe” file, with the value “Microsoft Corporation Security.” After this, the “svchost.exe” file establishes a connection to the C2 server and downloads an HTML file, which is subsequently decompressed.
The decompressed HTML file creates and runs the “explorer.exe” file in the path “%appdata%Microsoft\Windows\Templates,” with two C2 servers mentioned as alternative solutions in case the first C2 server URL is blocked or when a new C2 server is updated.
Subsequently, the new “explorer.exe” file generates another file named “version.exe” in the path “%appdata%Microsoft\Windows\” and an .inf file in the path “%temp%.” This “version.exe” file is executed with an argument to “cmstp.exe,” effectively resulting in the execution of the Revenge RAT malware as fileless malware.
Furthermore, the “version.exe” file is designed to run a PowerShell command that adds the files used by the Revenge RAT malware to the exception list in Windows Defender, thus preventing disruption to its activity.
In light of this malicious activity, a detailed resource provided by ASEC offers comprehensive information on the malware, its source code, file execution, and other related details.
The indicators of compromise linked to this threat include various file detections such as “Trojan/Win.Generic.C4223332,” “Trojan/Win.Generic.C5583117,” “Dropper/Win.Generic.C5445718,” “Backdoor/Win.REVENGERAT.C5582863,” and others. Additionally, unique MD5 hashes have been assigned to different files used in the execution process, such as “smtp-verifier.exe,” “setup.exe,” “svchost.exe,” “explorer.exe,” and others. It has also been reported that the Command and Control (C&C) server is operational at “qcpanel.hackcrack[.]io:9561.”
The propagation of the Revenge RAT malware represents a significant cybersecurity threat, highlighting the persistence and adaptability of threat actors in developing and utilizing sophisticated methods to exploit vulnerabilities and compromise systems. It is imperative for organizations and individuals to remain vigilant and ensure the deployment of robust cybersecurity measures to mitigate the risk of falling victim to such harmful activities.
For the most up-to-date information on cybersecurity news, whitepapers, and infographics, stay connected by following us on LinkedIn and Twitter.