Revenge

Revenge belongs to the class of Remote Access Trojans which means that it is usually used by the attackers to control infected PCs remotely or spy on the users by monitoring keystrokes and even computer surroundings through the remote webcam and microphone access.

  • Type
    Trojan
  • Origin
    Unknown
  • First seen
    1 January, 2016
  • Last seen
    17 November, 2019
Global rank
28
Week rank
23
Month rank
25
IOCs
633

What is Revenge Malware?

Revenge belongs to the class of Remote Access Trojans which means that it is usually used by the attackers to control infected PCs remotely or spy on the users by monitoring keystrokes and even computer surroundings through the remote webcam and microphone access.

Discovered for the first time in 2016, Revenge continues to be a threat at the present day with a big spike in popularity monitored in 2019, when the malware was observed targeting corporations and government structures all around the world in a massive malicious campaign codenamed “Aggah”. Thanks to a large variety of distribution methods, robust core feature-set, and solid persistence mechanisms, Revenge has become a popular choice for cybercriminals. The popularity of this RAT was further aided by its open-source nature – anybody can freely download Revenge on underground hacking forums and employ it in their own campaigns.

General description of Revenge

The Revenge RAT was first observed in the wild in June 2016, when it was released by a user with a nick Napoleon – an Arabic speaking member of the underground hacking community.

The initial version of this malware was a simple malicious program that didn’t offer much, if any, code obfuscation and was mainly used by other Arabic speaking cybercriminals. Despite the simplicity of the malware, at the time, only one out of 54 of VirusTotal scanners could pick up the malicious nature of the Revenge code, which confused the researchers bearing in mind the lack of anti-analysis techniques.

The creator used Visual Basic to develop this RAT and personally admitted that the malware was very bare-bones at the time of its initial release– providing only the most basic functions and definitely losing to competitors in terms of core feature-set. According to Napoleon, this explained why Revenge was available free of charge.

After two months since the initial release, a new version v0.2 was issued by the author, on a more popular hacking forum, this time with more features, but still offered completely free of charge. Since then Revenge has evolved even further and today, it offers cybercriminals a wide range of capabilities including remote files and registry alterations on an infected machine, access to memory, processes and services as well as access to connected devices such as keyboards, webcams and mice, allowing this malware to record the actions of its victims and collect information like banking credentials and social account data.

Core malicious feature-set was not the only thing that evolved over the course of the Revenge lifetime. Improvements in distribution and persistence made this threat truly a force to be reckoned with. In some campaigns, scripts were executed in the HTML of a custom blogspot [com] page.

Revenge malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware as it unfolds.

process graph of the revenge trojan execution Figure 1: Displays the lifecycle of Revenge in a visual form. A graph generated by ANY.RUN

text report of the revenge analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Revenge execution process.

Revenge execution process

Sometimes the first steps of Revenge execution may vary depending on how it made its way into a victim's computer. The most common form of initial infiltration vector is by the use of Mshta.exe for downloading the payload or for direct execution from a URL. After the payload is delivered to the infected machine, Mshta.exe changes the autorun value in the registry and starts three processes - cmd.exe, powershell.exe and schtasks.exe. It starts cmd.exe to kill processes from a list, in the given example processes from Microsoft Office packet were targeted. Powershell.exe is being launched to download the main payload. In turn, schtasks.exe is launched in a way to generate a scheduled task which provides Revenge persistence in the infected system. After all these steps, the malware is ready to complete commands from C2 servers.

How to avoid infection by Revenge?

The best line of defense against threats like Revenge is to keep a security product installed and updated with the latest firmware. One should not disable native Windows security features, regularly update the OS and adhere to the best security practices of staying safe online.

As such, it is advised to stay clear of downloading email attachments from unknown senders and never enabling macros in Microsoft Office if prompted to do so by a file downloaded from a suspicious email.

Distribution of Revenge

Revenge has been seen being distributed in a variety of ways, some of which are potentially more effective than others. For example, Revenge is known to infect PCs from malicious email attachments and corrupted ads on compromised websites.

Most commonly, once delivered in the Microsoft Office file that was downloaded and launched by the potential victim, Revenge will use macros to connect to an outside domain, sometimes hidden on a web page, from which additional scripts and content are downloaded until the actual malware is installed on the PC.

How to more info from the analysis of Revenge malware using ANY.RUN?

Analysts can get information about which MITRE ATT&CK™ MATRIX techniques were applied by malware. Just click on the "ATT&CK™ MATRIX " button.

Revenge MITRE ATT&CK MATRIX techniques Figure 3: Revenge MITRE ATT&CK MATRIX techniques

Conclusion

Revenge is no slouch when it comes to Remote Banking Trojans. It has begun it’s lifespan as a simplistic malware with functionality and without anti-analysis features but has evolved to become a capable and persistent trojan used in massive attacks in Europe, North America, Asia, and the Middle East.

The popularity of this malware is not only due to its robust feature-set, but also ready availability since Revenge can be downloaded for free from a number of underground communities.

Professionals can establish a secure cyber defense against Revenge and similar RATs and secure their corporate or government networks by reverse engineering and studying a threat using malware hunting services like to ANY.RUN.

IOCs

IP addresses
192.169.69.25
18.223.41.243
3.19.3.150
91.233.116.105
193.161.193.99
193.56.28.134
79.134.225.73
199.195.250.222
79.134.225.72
134.19.179.243
182.181.42.53
142.44.161.51
62.4.27.54
115.73.113.18
182.181.34.92
23.105.131.191
39.52.190.238
176.136.148.107
18.216.157.58
141.255.145.109
Hashes
9cddc43815b8d9a7c64e9beb5d411458549fa21052a764cbb861a0e008d8c670
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
7f54fe1d71a7056f4723a96403f32714be345bd5ba71f9209fec1f8244f48350
93614a63addaf1888610c1177f446ae6cc7837c7b34fe678081b49936b840ea3
ae9883f77048520f01114554049d9b02a47c8964c10adf8a7b2bc7e8dd73a886
4e72f1cd898c9a8d2209964ee106f0b658af438fba67d092ccd48ac108845378
e9cd9fa71665f68d34b3c46d633e8409f1607c81efc0f4b9cc7978f964b1a266
45e129f28ebe8bc9274b9cd74d5334614b33efde0dc039bc63b7c6a2c7299ea1
a531e5d2e72d686f8de3fff0d4cc0de91227edc91e96084e3306ca7ebca840cf
cf5ac7af995125673232aa83ebe7834492c0e725299d11877889338f9b2244f5
56fde0361fbe192719b5c36b33f083fa2d62de8ab6fb8ecbd22345852d56327b
1f821f070241ff4b6665b9d90a95f1f8eeab8cc910454b88eb2c3e3717636957
1823465324d74195ab2586e578edf9c402ff9a968561eb25d21fe966dfa5a5e8
f3588b4c6ecc9eaac87bf113ae585ead4d8deafbaeaacf42d7db43e421aba3d1
eb63f9a5ed0159fa38b3fb63c3d2b1e56b5771faca0fa38d1bb02955f8928e9a
e5b3c0b126374f0533b68fe867381a7bfa59d68c82a05170377af24977510b7d
cb9ed4605f53145245e62ff87524cd5f7095f292420af6e925c440b3a75be218
51665c5f5cb80e8344769902f9b78cd972a6f3068b4615f2da7f5647791d8af9
c0878de0c284e2d7fff24672b6bd80d315222bc50a949426401304bd77f56eb7
Domains
majul.com
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org
gemalto.duckdns.org
jfcolombia001.duckdns.org
office365update.duckdns.org
kosovo.duckdns.org
codazzixtrem.duckdns.org
mrmarkangel.duckdns.org
anglekeys.duckdns.org
dephantomz.duckdns.org
wiskiriskis1982.duckdns.org
nickdns19.duckdns.org
hicham9risa.duckdns.org
bnow.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More