REVENANT : EXECUTIONLESS, SELF-ASSEMBLING THREAT HIDDEN IN SYSTEM ENTROPY

MITRE Techniques

• [T1566.001 ] Phishing: Spear phishing Attachment – used as an initial delivery vector for documents that trigger font fetches and seed subsequent stages. Quote: ‘The finance-team employee receives a seemingly innocuous attachment, Updated Supplier Payment Form.docx.’
• [T1204.002 ] User Execution: Malicious File – user opening documents causes automatic font retrieval and in-memory helper loading. Quote: ‘When Word encounters the glyph, it quietly retrieves the font… and loads only in process memory when the document is opened.’
• [T1505 ] Server Software Component – compromise of distribution/update servers supplies altered localization files during vendor updates. Quote: ‘an attacker compromises a distribution point for these localisation files — for example, during a vendor update or via a compromised shared repository.’
• [T1134 ] Access Token Manipulation – implied through leveraging trusted application contexts and signed helpers launched via altered UI labels. Quote: ‘the application instead launches a signed helper binary or script under its own trusted execution context.’
• [T1027 ] Obfuscated/Compressed Files and Information – payloads and keys are hidden within font metadata and encoded clipboard fragments to evade detection. Quote: ‘deliver further logic hidden within the font’s metadata… creates a one-time 128-bit lab key (Key-α) before self-clearing from memory.’
• [T1036.005 ] Masquerading: Match Legitimate Name or Location – localization string changes preserve icon, position, and shortcuts to appear legitimate. Quote: ‘The change is visually indistinguishable to casual inspection…’
• [T1562.006 ] Impair Defenses: Modify Tooling – altering AI assistant inputs and localization to circumvent or subvert defensive tools and workflows. Quote: ‘manipulates the AI’s decision-making pipeline — turning an automated analyst into an unwitting accomplice.’
• [T1070 ] Indicator Removal on Host – stages minimize disk artifacts by using volatile clipboard and in-memory helpers, reducing host indicators. Quote: ‘The entire exchange is volatile, no persistent file is dropped…’
• [T1552.001 ] Unsecured Credentials: In Files – clipboard and memory-reconstructed secrets can include credentials or keys harvested from the environment. Quote: ‘reconstructed secret can unlock an encrypted payload seeded earlier in the chain.’
• [T1082 ] System Information Discovery – font beacons fingerprint hosts (IP, User-Agent, application build) when fetching remote fonts. Quote: ‘Fingerprints the host (IP address, User-Agent, application build).’
• [T1016 ] System Network Configuration Discovery – outbound font/DNS requests reveal network context used for further staging. Quote: ‘creates an outbound HTTP or DNS request that… confirms genuine human interaction.’
• [T1115 ] Clipboard Data – explicit use of OS clipboard history to transfer payload fragments and secrets in memory. Quote: ‘multiple benign-looking fragment strings…stored by the OS clipboard manager… reconstructs a hidden command… entirely in RAM.’
• [T1071.001 ] Application Layer Protocol: Web Protocols – font fetch and telemetry uploads use HTTP/HTTPS as covert beacons and exfil channels. Quote: ‘The moment the content is displayed, the OS fetches the font, creating an outbound HTTP…request.’
• [T1071.004 ] Application Layer Protocol: DNS – DNS requests for font resources serve as low-noise beacons. Quote: ‘creating an outbound HTTP or DNS request…’
• [T1105 ] Ingress Tool Transfer – remote font and helper artifacts delivered from attacker-controlled servers to seed in-memory components. Quote: ‘points to a remote WOFF/OTF font resource under attacker control.’
• [T1048.003 ] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non‑C2 Protocol – crash reports and telemetry to vendor endpoints carry embedded exfiltration data. Quote: ‘The OS automatically packages the dump and sends it to a legitimate telemetry endpoint…’
• [T1567.002 ] Exfiltration to Cloud Storage – using vendor telemetry/cloud endpoints to receive crash-report payloads and logs. Quote: ‘Windows Error Reporting (WER) packages the dump and attempts to send it via HTTPS to watson.microsoft.com.’
• [T1565.003 ] Data Manipulation: Transmitted Data Manipulation – embedding attacker-chosen data into crash dump headers and telemetry fields for covert signaling. Quote: ‘The crash dump or error report contains attacker-chosen data such as hostnames, environment variables, or cryptographic keys embedded in error strings or metadata fields.’