Threat Research

Fileless Revenge RAT Malware – ASEC BLOG

Securonix

ASEC reports Revenge RAT malware distributed using legitimate tools, mixing malicious components with trusted apps to hide activity and achieve persistence. The operation includes hidden files, CMSTP-based evasion, and a fileless, memory-resident RAT that exfiltrates data to a disguised C2 and reconfigures defenses to stay under the radar. Hashtags: #RevengeRAT #CMSTPEvasion #AhnLabASEC #smtpverifier #EmailToSms

Keypoints

  • The attackers use legitimate tools such as smtp-validator and Email To Sms to facilitate malware deployment, creating and running both a legitimate tool and a malicious file.
  • Setup.exe creates and runs svchost.exe in a hidden folder and registers it in the registry to autorun (Value Name: Microsoft Corporation Security).
  • svchost.exe connects to a C2 hosted on a blog-like domain, downloads an HTML file, reads encoded payload data from the page, decodes/decompresses it, and launches additional malware.
  • The C2 is sometimes disguised as a normal blog; if the primary URL is blocked, a secondary C2 URL is used, also disguised as a blog.
  • The downloaded explorer.exe uses CMSTP to execute version.exe, employing CMSTP Defense Evasion to bypass antivirus detection.
  • Version.exe registers attack files as Windows Defender exclusions via PowerShell, enabling stealthy execution of subsequent malware.
  • Revenge RAT is run fileless in memory, collects system information, screen captures, keylogging data, and other info, then transmits it to the C2 in Base64-encoded form.
  • IOC details include multiple MD5 hashes for samples and the C2 domain/address (qcpanel.hackcrack.io:9561) and obfuscated blogs as delivery vectors.

MITRE Techniques

  • [T1547.001] Boot or Logon Autostart Execution – The malware registers svchost.exe in the registry for autorun (Value Name: Microsoft Corporation Security) – “Registers the generated svchost.exe into the registry for autorun (Value Name: Microsoft Corporation Security)”
  • [T1564.001] Hide Artifacts – The created file’s property changes to ‘Hidden’ and the file becomes hidden from typical Windows Explorer environments – “The created file’s property changes to ‘Hidden’ and the file becomes hidden from typical Windows Explorer environments.”
  • [T1071.001] Web Protocols – svchost.exe connects to a C2 URL and downloads the HTML file – “Connects to C2 (hxxps://***********[.]blogspot.com) and downloads the HTML file”
  • [T1027] Obfuscated/Compressed Files and Information – The threat actor decodes Base64 data, decompresses it, and generates additional malware from content embedded in the HTML annotation – “The threat actor reads the value between written inside the HTML file, performs Base64-decoding, decompresses it, and generates additional malware.”
  • [T1218.003] System Binary Proxy Execution – CMSTP Evasion – “CMSTP Evasion, a technique of running a malicious file as a basic Windows program (cmstp.exe) to bypass antivirus detection.”
  • [T1562.001] Impair Defenses – Defender exclusions via PowerShell to bypass security tools – “Registers the files used in the attack as an exception on Windows Defender using the PowerShell command”
  • [T1082] System Information Discovery – Revenge RAT collects OS, CPU, drive capacity and other system information – “The types of user data stolen are shown below: 1. PC and user name 2. System information such as the OS, CPU, and drive capacity”
  • [T1113] Screen Capture – Included in the stolen data and RAT capabilities – “the collection of system information, screen capture, keylogging, additional malware download, and script execution.”
  • [T1056.001] Keylogging – Part of the RAT capabilities described in data collection – “screen capture, keylogging, …”
  • [T1041] Exfiltration Over C2 Channel – Data is sent to the C2 in Base64-encoded form – “sends it to C2 (qcpanel.hackcrack[.]io:9561) in a Base64-encoded format.”

Indicators of Compromise

  • [MD5] context – file hashes for samples – 42779ab18cf6367e7b91e621646237d1, fb34fe9591ea3074f048feb5b515eb61, and other 8 hashes (for a total of 10 MD5 values listed in the article)
  • [C2] qcpanel.hackcrack[.]io:9561 – Revenge RAT C2 server
  • [C2] hxxp://**********.***********[.]com/2023/explorer.txt – alternate C2 URL
  • [FileName] smtp-verifier.exe, Email To Sms V8.1.exe, setup.exe, svchost.exe, explorer.exe, version.exe, Fileless RevengeRAT, g1rfp0hb.inf – notable filenames used in the attack
  • [URL] blogspot disguises used for C2 (hxxps://***********[.]blogspot.com) and the embedded payload in HTML annotations

Read more: https://asec.ahnlab.com/en/61584/