Revenge

Revenge was one of the most popular remote access trojans to be used in 2019 when it was featured in a huge malicious campaign named “Aggah”. This malware can take remote control of infected machines and spy after the victims.

Type
Trojan
Origin
Unknown
First seen
1 January, 2016
Last seen
22 October, 2021
Global rank
32
Week rank
15
Month rank
21
IOCs
3781

What is Revenge Malware?

Revenge belongs to the class of Remote Access Trojans which means that it is usually used by the attackers to control infected PCs remotely or spy on the users by monitoring keystrokes and even computer surroundings through the remote webcam and microphone access.

Discovered for the first time in 2016, Revenge RAT continues to be a threat at the present day with a big spike in popularity monitored in 2019, when the malware was observed targeting corporations and government structures all around the world in a massive malicious campaign codenamed “Aggah”. Thanks to a large variety of distribution methods similar to ransomware, robust core feature-set, and solid persistence mechanisms, Revenge has become a popular choice for cybercriminals. The popularity of this RAT was further aided by its open-source nature – anybody can freely download Revenge on underground hacking forums and employ it in their own campaigns.

General description of Revenge

The Revenge RAT was first observed in the wild in June 2016, when it was released by a user with a nick Napoleon – an Arabic-speaking member of the underground hacking community.

The initial version of this malware was a simple malicious program that didn’t offer much, if any, code obfuscation and was mainly used by other Arabic-speaking cybercriminals. Despite the simplicity of the malware, at the time, only one out of 54 of VirusTotal scanners could pick up the malicious nature of the Revenge code, which confused the researchers bearing in mind the lack of anti-analysis techniques.

The creator used Visual Basic to develop this RAT and personally admitted that the malware was very bare-bones at the time of its initial release– providing only the most basic functions and definitely losing to competitors in terms of core feature-set. According to Napoleon, this explained why Revenge was available free of charge.

After two months since the initial release, a new version v0.2 was issued by the author, on a more popular hacking forum, this time with more features, but still offered completely free of charge. Since then Revenge has evolved even further and today, it offers cybercriminals a wide range of capabilities including remote files and registry alterations on an infected machine, access to memory, processes, and services as well as access to connected devices such as keyboards, webcams, and mice, allowing this malware to record the actions of its victims and collect information like banking credentials and social account data.

Core malicious feature-set was not the only thing that evolved over the course of the Revenge lifetime. Improvements in distribution and persistence made this threat truly a force to be reckoned with. In some campaigns, scripts were executed in the HTML of a custom Blogspot [com] page.

Revenge malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware as it unfolds and also other malicious programs like ransomware.

process graph of the revenge trojan execution Figure 1: Displays the lifecycle of Revenge in a visual form. A graph generated by ANY.RUN

text report of the revenge analysis Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Revenge execution process.

Revenge execution process

Sometimes the first steps of Revenge trojan execution may vary depending on how it made its way into a victim's computer. The most common form of initial infiltration vector is by the use of Mshta.exe for downloading the payload or for direct execution from a URL. After the payload is delivered to the infected machine, Mshta.exe changes the autorun value in the registry and starts three processes - cmd.exe, powershell.exe and schtasks.exe. It starts cmd.exe to kill processes from a list, in the given example processes from the Microsoft Office packet were targeted. Powershell.exe is being launched to download the main payload. In turn, schtasks.exe is launched in a way to generate a scheduled task that provides Revenge persistence in the infected system. After all these steps, the malware is ready to complete commands from C2 servers.

How to avoid infection by Revenge?

The best line of defense against threats like Revenge RAT is to keep a security product installed and updated with the latest firmware. One should not disable native Windows security features, regularly update the OS and adhere to the best security practices of staying safe online.

As such, it is advised to stay clear of downloading email attachments from unknown senders and never enabling macros in Microsoft Office if prompted to do so by a file downloaded from a suspicious email.

Distribution of Revenge

Revenge has been seen being distributed in a variety of ways the same as ransomware, some of which are potentially more effective than others. For example, Revenge is known to infect PCs from malicious email attachments and corrupted ads on compromised websites.

Most commonly, once delivered in the Microsoft Office file that was downloaded and launched by the potential victim, Revenge will use macros to connect to an outside domain, sometimes hidden on a web page, from which additional scripts and content are downloaded until the actual malware is installed on the PC.

How to detect Revenge RAT using ANY.RUN?

Analysts can get information about which MITRE ATT&CK™ MATRIX techniques were applied by malware. Just click on the "ATT&CK™ MATRIX " button.

Revenge MITRE ATT&CK MATRIX techniques Figure 3: Revenge MITRE ATT&CK MATRIX techniques

Conclusion

Revenge is no slouch when it comes to Remote Banking Trojans. It has begun its lifespan as a simplistic malware such as ransomware and without anti-analysis features but has evolved to become a capable and persistent trojan used in massive attacks in Europe, North America, Asia, and the Middle East.

The popularity of this malware is not only due to its robust feature-set, but also ready availability since Revenge can be downloaded for free from a number of underground communities.

Professionals can establish a secure cyber defense against Revenge and similar RATs and secure their corporate or government networks by reverse engineering and studying a threat using malware hunting services like to ANY.RUN.

IOCs

IP addresses
3.140.223.7
206.81.28.165
3.22.30.40
3.134.125.175
3.13.191.225
3.142.167.54
3.142.167.4
13.59.15.185
13.59.15.185
3.142.129.56
3.22.53.161
3.138.45.170
52.14.18.129
3.131.207.170
3.129.187.220
3.133.207.110
3.14.182.203
3.141.177.1
3.17.7.232
3.22.15.135
Hashes
0c1a1d86933d48d34e429dae10fcdc17f0fb3db4847944053b8d23e6bd9ad61b
05ba26277038082045e06c102ae5ca998339f20de977c726f06deae857b3408f
2eea0ee0b28132a37033173cc6a5e78dbc95b9f763e4483fdff8736f3012d8fd
3bf2c814ade54ce77c12ad089043709d78281e6b0433fbbd8010663e01a976b8
0b317aa1504219f864f83fe00bc6864eaa51194b33d80be8cefc39cd805fc74b
49110d973b56a251990d93550ed7dcbb209903eef3126cbdab335ad639c7d675
4a0d4104574fd9def7c0fbbb075abc92913d8dde9552a912b3d28977c857661d
7107b2d52f772b28945ce35fe9895ea9746bf0deceee4a48c6ca6733d657d7b1
0ad6ac6d96d78f4364d3e5898a7e61130ae9364a4ea55559c03d982533bb0b2c
540cf8c1f7f6737d534313daaa16a1edac8379b40e7451f98c68bbb1a00f5345
15315b11c369c08394d1d04bfa4eadef61e7a173b439fb428cc401c917ce1e82
1b6675946ad4a50327eb3cdd36420c85f93f913db46e87fa4eeb10236f91b83a
985f9440d76d919b1a35d1c4ffbe75f552aee001cfa7ca8a14f49c735d3aa644
9485acfdb8466b0603109f184258e71622627b2557bad735f3f218107f32bf9a
e59fa5adfc2aa2c92d7e89bd6b4506efa1ecdb8a271bda16ba4cc0f223bbf368
d49672b626d841276a1613d3528756843057731d7d962bb723f39635da2713d3
1f87283c6d788b0caf8aac0d1cddfece3fabe7f09570e72cbaeefe0f473549df
43e683fcf9bae6ddedb17a1a53f9aa93fe7f85685084a7087ef3166acbe5e447
10d1b8f07e62a61b186d5f0d2a2deb77898c5859837748f9b59edb68a2f77961
aab9775564551baffabef1fb839d808bde41b334da3c9408db11933a04309763
Domains
payrollph.com
0f70-34-121-202-111.ngrok.io
221a-34-134-220-19.ngrok.io
95cdad33e9f4.ngrok.io
bbab-95-104-194-197.ngrok.io
c316-193-152-126-98.ngrok.io
8ea1042a1912.ngrok.io
e0fb-34-121-202-111.ngrok.io
93809e70c1fa.ngrok.io
d61a2ce46962.ngrok.io
2d9076b51d13.ngrok.io
38ff38756820.ngrok.io
8ef628b4602c.ngrok.io
ebc79a7f69ed.ngrok.io
4b55d5175066.ngrok.io
658cdf142e87.ngrok.io
cf8b04045d7a.ngrok.io
3a47ff971faf.ngrok.io
30fdb4c296af.ngrok.io
192913f09fa8.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More