Skip to content

Revenge RAT spread camouflaged by legitimate tools

  • by
  • 3 min read

Threat actors have been distributing the Revenge RAT malware via legitimate tools like smtp-validator and Email to SMS. The malware employs a dual-pronged approach during the execution, creating and running both a legitimate tool and a malicious file simultaneously — adding a layer of obfuscation, making it challenging for users to detect any malicious activity.

The Revenge RAT collects a variety of sensitive data, including PC and user names, system information, IP addresses, and details about installed anti-virus and firewall products

Cybersecurity researchers from ASEC discovered this new distribution of the Revenge RAT malware. In the deployment process, a host of files are generated and it becomes increasingly difficult to detect the malware.

Revenge RAT attack flow. | Source: ASEC

The malicious file, setup.exe, primarily serves to generate additional malware. This file runs svchost.exe in the Templates folder with the FileAttribute.Hidden property. The file also registers svchost.exe for autorun.

Svchost.exe connects the victim’s device to the command and control (C2) server and then downloads an HTML file. The C2 is made to look like an ordinary blog and the malware is included in the annotation line of a specific offset.

The threat actor decodes and decompresses the HTML file to generate additional malware.

To counter potential disruptions, hackers also used an alternative C2 URL ensuring continuity in case the primary C2 URL becomes inaccessible.

The command and control centre looks like a harmless blog. | Source: ASEC

The subsequent malicious file, explorer.exe creates a version of version.exe in the %appdata%Microsoft\Windows\ path and executes Revenge RAT malware. The execution is completed in a file-less manner using CMSTP Evasion to bypass the antivirus.

The executed version.exe registers the malicious files as exceptions on Windows Defender, employing the CMSTP Evasion technique. The threat actor then decrypts the binary from the resource area, unveiling Revenge RAT’s end goal – running filelessly in memory.

Researchers have advised users to exercise caution when utilising open-source tools and ensure that they download from official websites.

In the News: Eighteen hospitals in Romania suffered ransomware attacks; probe launched

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: