Revenge

Revenge was one of the most popular remote access trojans to be used in 2019 when it was featured in a huge malicious campaign named “Aggah”. This malware can take remote control of infected machines and spy after the victims.

Type
Trojan
Origin
Unknown
First seen
1 January, 2016
Last seen
28 July, 2021
Global rank
33
Week rank
21
Month rank
20
IOCs
3586

What is Revenge Malware?

Revenge belongs to the class of Remote Access Trojans which means that it is usually used by the attackers to control infected PCs remotely or spy on the users by monitoring keystrokes and even computer surroundings through the remote webcam and microphone access.

Discovered for the first time in 2016, Revenge RAT continues to be a threat at the present day with a big spike in popularity monitored in 2019, when the malware was observed targeting corporations and government structures all around the world in a massive malicious campaign codenamed “Aggah”. Thanks to a large variety of distribution methods, robust core feature-set, and solid persistence mechanisms, Revenge has become a popular choice for cybercriminals. The popularity of this RAT was further aided by its open-source nature – anybody can freely download Revenge on underground hacking forums and employ it in their own campaigns.

General description of Revenge

The Revenge RAT was first observed in the wild in June 2016, when it was released by a user with a nick Napoleon – an Arabic speaking member of the underground hacking community.

The initial version of this malware was a simple malicious program that didn’t offer much, if any, code obfuscation and was mainly used by other Arabic speaking cybercriminals. Despite the simplicity of the malware, at the time, only one out of 54 of VirusTotal scanners could pick up the malicious nature of the Revenge code, which confused the researchers bearing in mind the lack of anti-analysis techniques.

The creator used Visual Basic to develop this RAT and personally admitted that the malware was very bare-bones at the time of its initial release– providing only the most basic functions and definitely losing to competitors in terms of core feature-set. According to Napoleon, this explained why Revenge was available free of charge.

After two months since the initial release, a new version v0.2 was issued by the author, on a more popular hacking forum, this time with more features, but still offered completely free of charge. Since then Revenge has evolved even further and today, it offers cybercriminals a wide range of capabilities including remote files and registry alterations on an infected machine, access to memory, processes and services as well as access to connected devices such as keyboards, webcams and mice, allowing this malware to record the actions of its victims and collect information like banking credentials and social account data.

Core malicious feature-set was not the only thing that evolved over the course of the Revenge lifetime. Improvements in distribution and persistence made this threat truly a force to be reckoned with. In some campaigns, scripts were executed in the HTML of a custom blogspot [com] page.

Revenge malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware as it unfolds.

process graph of the revenge trojan execution Figure 1: Displays the lifecycle of Revenge in a visual form. A graph generated by ANY.RUN

text report of the revenge analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Revenge execution process.

Revenge execution process

Sometimes the first steps of Revenge trojan execution may vary depending on how it made its way into a victim's computer. The most common form of initial infiltration vector is by the use of Mshta.exe for downloading the payload or for direct execution from a URL. After the payload is delivered to the infected machine, Mshta.exe changes the autorun value in the registry and starts three processes - cmd.exe, powershell.exe and schtasks.exe. It starts cmd.exe to kill processes from a list, in the given example processes from Microsoft Office packet were targeted. Powershell.exe is being launched to download the main payload. In turn, schtasks.exe is launched in a way to generate a scheduled task which provides Revenge persistence in the infected system. After all these steps, the malware is ready to complete commands from C2 servers.

How to avoid infection by Revenge?

The best line of defense against threats like Revenge RAT is to keep a security product installed and updated with the latest firmware. One should not disable native Windows security features, regularly update the OS and adhere to the best security practices of staying safe online.

As such, it is advised to stay clear of downloading email attachments from unknown senders and never enabling macros in Microsoft Office if prompted to do so by a file downloaded from a suspicious email.

Distribution of Revenge

Revenge has been seen being distributed in a variety of ways, some of which are potentially more effective than others. For example, Revenge is known to infect PCs from malicious email attachments and corrupted ads on compromised websites.

Most commonly, once delivered in the Microsoft Office file that was downloaded and launched by the potential victim, Revenge will use macros to connect to an outside domain, sometimes hidden on a web page, from which additional scripts and content are downloaded until the actual malware is installed on the PC.

How to detect Revenge RAT using ANY.RUN?

Analysts can get information about which MITRE ATT&CK™ MATRIX techniques were applied by malware. Just click on the "ATT&CK™ MATRIX " button.

Revenge MITRE ATT&CK MATRIX techniques Figure 3: Revenge MITRE ATT&CK MATRIX techniques

Conclusion

Revenge is no slouch when it comes to Remote Banking Trojans. It has begun it’s lifespan as a simplistic malware with functionality and without anti-analysis features but has evolved to become a capable and persistent trojan used in massive attacks in Europe, North America, Asia, and the Middle East.

The popularity of this malware is not only due to its robust feature-set, but also ready availability since Revenge can be downloaded for free from a number of underground communities.

Professionals can establish a secure cyber defense against Revenge and similar RATs and secure their corporate or government networks by reverse engineering and studying a threat using malware hunting services like to ANY.RUN.

IOCs

IP addresses
3.131.147.49
3.22.15.135
3.138.180.119
52.14.18.129
3.141.142.211
3.138.45.170
3.22.53.161
193.161.193.99
3.136.65.236
3.134.125.175
185.204.1.236
3.128.107.74
3.132.159.158
3.14.182.203
3.13.191.225
3.129.187.220
3.133.207.110
3.17.7.232
74.201.28.134
24.101.169.101
Hashes
10d1b8f07e62a61b186d5f0d2a2deb77898c5859837748f9b59edb68a2f77961
aab9775564551baffabef1fb839d808bde41b334da3c9408db11933a04309763
13a5c4acd569168990a3a7ec798f2869aa0fc5d7d0e28fc51f429c48d40658d2
18b1d6b345fc7c2371b3d4af8e27007d26b1bea62751a7647c55d0fa7f4bad00
8c61119e6be959f256084a30a006e5608f2a5e8e6f75f1db7415b980a74ec8ec
dee54a9636b698706ba16a04dd1b801227e9caba2db71f61a5bb064b7cf9beaa
3b20a5138d7c86e7692a224715f8f0b3801b1319e12a0dd2c8b0515d428d4aa6
051dc808584c5a28e03f741ac57b2e6475c84a0d382c17af49fb36b7f59b87c3
2d94f23e486d68715ea630f1891386ac86e1ddb7ca53226c2020d2499a2eb25d
9f549d7c1524df9f8b0dd28d440a0c55bb3ef49c1c9114b43e67545ca727e9d9
ff165616e0cbdbee92cec24fdffeff4edb95ea3cf961170fc851453a61719e85
81457f723e1749a9aac452eac2c48a9923eb2cc28ce21aa3a4aa9f91c49716b2
0ca6888bef837ddc4fd658f18827446c69e07368aef1b23a54ada567061a2863
5b378eb674311390ce36d00cf95168547b62b4b0a14b8f2d49e931d830a931e1
2932c93f645dee7002fc827adc150d6b9b186848340a6ca3c694d68e33be5080
140c9c6628c7f7ee86a74ef743f5e89d90f20ac9fa3743ce648c1ff6ea5996bd
1e59e8c5571a9b6d800fb73c14d5fcf8a1f3623faf1adf471cb46ee7d403312c
1eb4b1682ee4d9e438134c3ab319dac1ac38e1ada272f2c12aa8d06de5889a88
5ca215e1d7d8daec8f9cf1253c79a200f26de1a0e71cd75dbb170223c3cff979
7648d6ed32626db79a637caa8f49a669487e1eb125dcd0670672896d512a8bc9
Domains
WindowsAuthentication324-49629.portmap.host
majul.com
coodyz.site
isns.net
4.tcp.ngrok.io
britianica.uk.com
googleupdatter.duckdns.org
bccd.duckdns.org
2.tcp.ngrok.io
6.tcp.ngrok.io
dfsewrd.duckdns.org
susur2334.duckdns.org
43254245.ddns.net
littlerat.ddns.net
elx01.knas.systems
booking.msg.bluhotels.com
booking.msg.bluhotels.com
facexteste.hopto.org
641d8b63f3af.ngrok.io
93809e70c1fa.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More