ATT&CK v16 has been released! Check out the blog post for more information.

Revenge RAT

Revenge RAT is a freely available remote access tool written in .NET (C#).^[1]^[2]

ID: S0379

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 02 May 2019

Last Modified: 02 October 2023

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1123		Audio Capture	Revenge RAT has a plugin for microphone interception.^[1]^[2]
Enterprise	T1547	.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Revenge RAT creates a Registry key at `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell` to survive a system reboot.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Revenge RAT uses the PowerShell command `Reflection.Assembly` to load itself into memory to aid in execution.^[2]
		.003	Command and Scripting Interpreter: Windows Command Shell	Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.^[2]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	Revenge RAT uses Base64 to encode information sent to the C2 server.^[1]
Enterprise	T1202		Indirect Command Execution	Revenge RAT uses the Forfiles utility to execute commands on the system.^[2]
Enterprise	T1105		Ingress Tool Transfer	Revenge RAT has the ability to upload and download files.^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	Revenge RAT has a plugin for keylogging.^[1]^[2]
Enterprise	T1003		OS Credential Dumping	Revenge RAT has a plugin for credential harvesting.^[1]
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Revenge RAT has a plugin to perform RDP access.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Revenge RAT schedules tasks to run malicious scripts at different intervals.^[2]
Enterprise	T1113		Screen Capture	Revenge RAT has a plugin for screen capture.^[1]
Enterprise	T1218	.005	System Binary Proxy Execution: Mshta	Revenge RAT uses mshta.exe to run malicious scripts on the system.^[2]
Enterprise	T1082		System Information Discovery	Revenge RAT collects the CPU information, OS information, and system language.^[1]
Enterprise	T1016		System Network Configuration Discovery	Revenge RAT collects the IP address and MAC address from the system.^[1]
Enterprise	T1033		System Owner/User Discovery	Revenge RAT gathers the username from the system.^[1]
Enterprise	T1125		Video Capture	Revenge RAT has the ability to access the webcam.^[1]^[2]
Enterprise	T1102	.002	Web Service: Bidirectional Communication	Revenge RAT used blogpost.com as its primary command and control server during a campaign.^[2]

Groups That Use This Software

ID	Name	References
G1018	TA2541	^[3]
G0089	The White Company	^[1]

References

Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.

Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.