Analysis Summary

First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected computer. The malware is typically distributed through phishing emails or exploit kits and once it infects a system, it can steal sensitive information, install additional malware, or even use the machine to launch further attacks.

Revenge RAT uses various techniques to evade detection and analysis, such as code obfuscation and anti-debugging techniques. It also uses a technique called "process injection" to inject its code into legitimate processes and remain hidden from security software.

Once installed, Revenge RAT establishes a connection to its Command and Control (C&C) server, which enables the attacker to remotely control the infected machine and steal sensitive information. The malware can also log keystrokes, capture screenshots, and record audio and video. Revenge RAT can also propagate itself to other machines on the same network, by exploiting known vulnerabilities or weak passwords.

To protect against Revenge RAT, it is important to keep software and operating systems up-to-date, to be cautious when opening emails or clicking on links from unknown sources, and to use security software that can detect and remove RATs. Additionally, using a firewall, disabling unnecessary services and ports, and keeping your network segmented can also help prevent the spread of malware.

Impact

• Unauthorized Access
• Information Theft

Indicators of Compromise

MD5

• 19dec27aebb0765515dce112629e6bf0
• 16f58ae67e03878af86c54501a568d7b
• 9efc83953d1cd53c1e4a1cecb7c07828
• 7314737e8dfca524250fcd6508f11d17
• e6c62c08bcf6e855dcc57d4672f35f22

SHA-256

• f0a08759c7ffcc5dc2be1c4406357e3e0d50db90d69c957140a5d5a96677d5d6
• 8bba854cc78ef4bee78a3057cf08d3d12c6da32ba5e205bc8081b1ac0b191372
• f1877a05b29ff71defc0f60d80713b14342333eb7515c77771f5419f480991cf
• c821cfc5e83b96365f4384312fa29e7407a42fb97871e8f1f23ab4a698c1b390
• a0c62d117ca24a43bc6ca8d4fd841429827728d46aed60ae0c1dd93e7d44c4c7

SHA-1

• 157f1b9b9a3cfee78e41a2ee7040c2c3d31acea9
• 08a9c4f7113a6775379492c398b390a0fa54a80c
• 2c95438d6db39af1f28addebc4180eab9b7599bb
• 2d3156b0c3b5f3944abe6c86e7096e07ca53e052
• 1a314ad57695bc7c1eb5a56069680ba504bcd63d

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Enforced Access Management Policies.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.