1. Home
  2. Software
  3. Revenge RAT

Revenge RAT

Revenge RAT is a freely available remote access tool written in .NET (C#).[1][2]

ID: S0379
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 02 May 2019
Last Modified: 02 October 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .004 启动或登录自动启动执行: Winlogon Helper DLL

Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.[2]
.003 命令与脚本解释器: Windows Command Shell

Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.[2]
Enterprise T1113 屏幕捕获

Revenge RAT has a plugin for screen capture.[1]
Enterprise T1003 操作系统凭证转储

Revenge RAT has a plugin for credential harvesting.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

Revenge RAT uses Base64 to encode information sent to the C2 server.[1]
Enterprise T1218 .005 系统二进制代理执行: Mshta

Revenge RAT uses mshta.exe to run malicious scripts on the system.[2]
Enterprise T1082 系统信息发现

Revenge RAT collects the CPU information, OS information, and system language.[1]
Enterprise T1033 系统所有者/用户发现

Revenge RAT gathers the username from the system.[1]
Enterprise T1016 系统网络配置发现

Revenge RAT collects the IP address and MAC address from the system.[1]
Enterprise T1102 .002 网络服务: Bidirectional Communication

Revenge RAT used blogpost.com as its primary command and control server during a campaign.[2]
Enterprise T1125 视频捕获

Revenge RAT has the ability to access the webcam.[1][2]
Enterprise T1105 输入工具传输

Revenge RAT has the ability to upload and download files.[1]
Enterprise T1056 .001 输入捕获: Keylogging

Revenge RAT has a plugin for keylogging.[1][2]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Revenge RAT has a plugin to perform RDP access.[1]
Enterprise T1202 间接命令执行

Revenge RAT uses the Forfiles utility to execute commands on the system.[2]
Enterprise T1123 音频捕获

Revenge RAT has a plugin for microphone interception.[1][2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Revenge RAT schedules tasks to run malicious scripts at different intervals.[2]

Groups That Use This Software

ID Name References
G1018 TA2541

[3]
G0089 The White Company

[1]

References

  1. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  2. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  1. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.