Revenge RAT

Revenge RAT is a freely available remote access tool written in .NET (C#).[1][2]

ID: S0379
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Revenge RAT has a plugin for microphone interception.[1][2]

Enterprise T1059 Command-Line Interface

Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.[2]

Enterprise T1003 Credential Dumping

Revenge RAT has a plugin for credential harvesting.[1]

Enterprise T1132 Data Encoding

Revenge RAT uses Base64 to encode information sent to the C2 server.[1]

Enterprise T1202 Indirect Command Execution

Revenge RAT uses the Forfiles utility to execute commands on the system.[2]

Enterprise T1056 Input Capture

Revenge RAT has a plugin for keylogging.[1][2]

Enterprise T1170 Mshta

Revenge RAT uses mshta.exe to run malicious scripts on the system.[2]

Enterprise T1086 PowerShell

Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.[2]

Enterprise T1060 Registry Run Keys / Startup Folder

Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot.[1]

Enterprise T1076 Remote Desktop Protocol

Revenge RAT has a plugin to perform RDP access.[1]

Enterprise T1105 Remote File Copy

Revenge RAT has the ability to upload and download files.[1]

Enterprise T1053 Scheduled Task

Revenge RAT schedules tasks to run malicious scripts at different intervals.[2]

Enterprise T1113 Screen Capture

Revenge RAT has a plugin for screen capture.[1]

Enterprise T1064 Scripting

Revenge RAT executes scripts on the victim's machine.[1][2]

Enterprise T1082 System Information Discovery

Revenge RAT collects the CPU information, OS information, and system language.[1]

Enterprise T1016 System Network Configuration Discovery

Revenge RAT collects the IP address and MAC address from the system.[1]

Enterprise T1033 System Owner/User Discovery

Revenge RAT gathers the username from the system.[1]

Enterprise T1065 Uncommonly Used Port

Revenge RAT has communicated over TCP port 3333.[1]

Enterprise T1125 Video Capture

Revenge RAT has the ability to access the webcam.[1][2]

Enterprise T1102 Web Service

Revenge RAT used blogpost.com as its primary command and control server during a campaign.[2]

Groups That Use This Software

ID Name References
G0089 The White Company [1]

References