Revenge RAT

Revenge RAT is a freely available remote access tool written in .NET (C#).[1][2]

ID: S0379
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 02 May 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Revenge RAT has a plugin for microphone interception.[1][2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.[2]

.003 Command and Scripting Interpreter: Windows Command Shell

Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Revenge RAT uses Base64 to encode information sent to the C2 server.[1]

Enterprise T1202 Indirect Command Execution

Revenge RAT uses the Forfiles utility to execute commands on the system.[2]

Enterprise T1105 Ingress Tool Transfer

Revenge RAT has the ability to upload and download files.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Revenge RAT has a plugin for keylogging.[1][2]

Enterprise T1003 OS Credential Dumping

Revenge RAT has a plugin for credential harvesting.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Revenge RAT has a plugin to perform RDP access.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Revenge RAT schedules tasks to run malicious scripts at different intervals.[2]

Enterprise T1113 Screen Capture

Revenge RAT has a plugin for screen capture.[1]

Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

Revenge RAT uses mshta.exe to run malicious scripts on the system.[2]

Enterprise T1082 System Information Discovery

Revenge RAT collects the CPU information, OS information, and system language.[1]

Enterprise T1016 System Network Configuration Discovery

Revenge RAT collects the IP address and MAC address from the system.[1]

Enterprise T1033 System Owner/User Discovery

Revenge RAT gathers the username from the system.[1]

Enterprise T1125 Video Capture

Revenge RAT has the ability to access the webcam.[1][2]

Enterprise T1102 .002 Web Service: Bidirectional Communication

Revenge RAT used blogpost.com as its primary command and control server during a campaign.[2]

Groups That Use This Software

ID Name References
G0089 The White Company

[1]

References