Revenge RAT: Unveiling a Tool-Abusing, Fileless Attack
AhnLab Security Intelligence Center (ASEC) recently sounded the alarm over a cunning Revenge RAT malware campaign. This campaign stands out with its skillful abuse of legitimate tools like ‘smtp-validator’ and ‘Email to SMS,’ making detection tricky for the average user.
The malware’s modus operandi is as cunning as it is complex, seamlessly integrating both legitimate and malicious files to evade detection.
The overall flow chart of the malware
Upon execution, Revenge RAT sets its nefarious plan into motion, executing a series of malicious activities aimed at compromising system integrity. The malware generates many files (Setup.exe, svchost.exe, explorer.exe, version.exe), each a piece in the intricate puzzle orchestrated by threat actors with sinister intent.
Revenge RAT’s cloak of deception extends further as it conceals its presence within legitimate processes, camouflaging its actions to evade detection. By creating and executing files with innocuous names and attributes, the malware ensures its continued operation within the infected systems.
Central to Revenge RAT’s operation is its communication with Command and Control (C2) servers, disguised within the fabric of seemingly innocuous online entities. The malware’s ability to adapt and redirect communication channels ensures its resilience against detection and mitigation efforts.
At the heart of Revenge RAT lies its devastating payload, capable of wreaking havoc once unleashed upon unsuspecting victims. Operating stealthily within system memory, the malware exfiltrates sensitive data, including
- PC and user name
- System information such as the OS, CPU, and drive capacity
- Information of the parent process used to execute itself (Revenge RAT)
- IP address and region information
- Names of anti-virus and firewall products in use
Users and organizations must remain vigilant, employing robust cybersecurity protocols and exercising caution when engaging with online tools and platforms.
