BLOG

/

MALWARE CAMPAIGNS

RevengeRAT: A Deep Dive into its Technical Analysis and Functionality

Explore the depths of RevengeRAT's malware campaign as we unveil its inner workings in our in-depth examination.

Explore the depths of RevengeRAT's malware campaign as we unveil its inner workings in our in-depth examination.

Friday, 12 April, 2024

What is RevengeRAT
What is RevengeRAT
What is RevengeRAT

RevengeRAT is a type of Remote Access Trojan (RAT) designed to grant attackers remote control over compromised devices. It was first identified in 2017 and has been linked to cyber espionage campaigns targeting government organizations, and any targeted individuals across the Middle East and South Asia. Typically distributed through phishing emails containing malicious attachments or links, RevengeRAT infiltrates systems upon interaction, enabling attackers to execute unauthorized commands, monitor activities, and steal sensitive data.

Mainly, it maintains persistence on the infected system by creating a Run key Registry entry and adding a shortcut to the user's Startup folder.

File Details:

Hash    : c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e
Magic   : Microsoft PowerPoint 2007+
Filename: Reserva Detalhes.ppam
FileType: Office Open XML Presentation (.ppam)
TrID    : PowerPoint Macro-enabled Open XML add-in (64.8%) & Open Packaging Conventions container (27.3%) &
	      ZIP compressed archive (6.2%)  & PrintFox/Pagefox bitmap (640x800) (1.5%). 
Size    : 12.65 KB (12957 bytes)

Technical Analysis of RevengeRAT:

RevengeRAT commonly infiltrates systems via phishing emails or malicious downloads, exploiting software or operating system vulnerabilities. Upon installation, it connects to a command-and-control server, enabling attackers to remotely manipulate the compromised system, extract sensitive data, or execute malicious actions.

In recent trends, malware authors are increasingly relying on PPAM (PowerPoint Add-In Macros) for initial malware distribution. But why? PPAM files are less commonly blocked by security vendors when compared to other file types like EXE, DLL, or office file formats. Furthermore, PPAM files can be embedded within PowerPoint presentations, making them more likely to evade AV detection. This provides attackers with a stealthy means to spread malware while bypassing security measures.

How does it work?

Following our infection chain, the malware author sends the phishing email to the targeted victims machines. Typically, the email subjects or content press users to download attachments or click on phishing URLs. In this campaign, the malware authors attached the attachment file. Upon downloading and opening the .ppam attachment file, a dialog message box prompts users to enable macros to access the file’s content, limiting navigation to other pages. Malware authors capitalize on this feature by embedding malicious macros for exploitation.

Let’s dissect the .PPAM file structure and it’s components:

.PPAM File Components:

Archived Files:

VBAProject.Bin file:

Once enabled and opened, the .ppam file triggers the activation of macro functions, which then execute PowerShell commands in the background.

Macro Functions:

Sub document_open()
Message = "Error converting document version from type '03'!" + vbNewLine + "Failure code: 0x4AG59C"
Title = "Office content conversion error"
Choice = MsgBox(Message, vbExclamation + vbRetryCancel, Title)
If Choice > 0 Then
MessageClosed
Endif
End Sub
Common APIs used by RevengeRAT: 
URLDownloadToFileA, Auto_Open, Urlmon, vbExclamation, vbRetryCancel & vbNewLine

URLDownloadToFileA, part of the Windows API, used to download files from the internet. Within a PowerPoint (PPT) file, it may be employed via an embedded macro or script to fetch files from URLs referenced within the presentation. This capability enables dynamic content downloads during the PowerPoint's runtime, potentially serving various purposes such as obtaining additional malware payloads or updates.

VBA Macro Code:

Sub Auto_Open()
mb5307c3f5f4bfffa64e3056028cf8c6b = "WS"
md0ab743cca5f54c7327700e630c21754 = "cri"
y0f12d7a754329dcadeb4fa6a93097461 = "pt.S"
ba8faae05eec0e5b47d7a410e873ffa75 = "he"
ve31944de9ca191752811754db4c3ba5d = "ll"
e77c84b65c15df9befa0f8e28f67effea = mb5307c3f5f4bfffa64e3056028cf8c6b + md0ab743cca5f54c7327700e630c21754 + y0f12d7a754329dcadeb4fa6a93097461 + 
                                    ba8faae05eec0e5b47d7a410e873ffa75 + ve31944de9ca191752811754db4c3ba5d
nc2952c235b309dcf99a27dc0aea0a280 = e77c84b65c15df9befa0f8e28f67effea
r3db29c70b435bd9ce42bef68efeffd50 = nc2952c235b309dcf99a27dc0aea0a280
mb891ad3bc7bf1935eb6874598b1752fa = r3db29c70b435bd9ce42bef68efeffd50
x67b4cbbc53e8495825dfa8a1a0ea58c2 = mb891ad3bc7bf1935eb6874598b1752fa
bedb7c51393d753fdce40c8863018d725 = x67b4cbbc53e8495825dfa8a1a0ea58c2
n9f29802c32c6e06f6f19b92fd23ad94d = bedb7c51393d753fdce40c8863018d725
rebc05376293c69a95730647e712f189f = n9f29802c32c6e06f6f19b92fd23ad94d
z70a55194d711bb979a6155f14b06bb90 = rebc05376293c69a95730647e712f189f
q9930234dfb2b6f88ab71ffdb40b95bd2 = z70a55194d711bb979a6155f14b06bb90
yf70d3da3762357acdcc4f454ae772fad = q9930234dfb2b6f88ab71ffdb40b95bd2

Hardcoded Powershell Script:

Obtained Powershell Script:

AV Vendor Sandbox Results:

AV vendor sandboxes analyze suspicious URLs within controlled environments to evaluate their effects on systems and networks. Analyzing sandbox results enables us to know whether the URL is associated with malware, phishing attempts, or other malicious activities. Here the obtained URLs is marked as malware.

MITRE ATT@CK MATRIX:

        Tactics				          Techniques.

Initial Access	       - Phishing Attachment (.ZIP/.PPAM).
Execution              - Command and Scripting Interpreter (VBA Macro Codes).
		                 Exploitation for Client Execution.
Persistence	           - Scripting (.PS1/.VBA).
                         Modify Registry.
Privilege Escalation   - Process Injection.
			             DLL Side-Loading.
                         Schedules task/job.
Defense Evasion	   	   - Modify Registry. 
            			 Install Root Certificate.
              			 Obfuscated files or Information (Encrytion).
Discovery		       - Virtualization and Sandbox Evasion Technique.
                		 Application Window Discovery.
			             Remote System Discovery.
			             System Information Discovery.
Command & Control	   - Encrypted Channels.
			             Non-Application Layer Protocol.
			             Application Layer Protocol

Indicator of Compromises (IOC):

c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e (.PPAM)
dbcb21d5f9c1a74aaeacb6fd5e4bda89af7cf80461eae3fa3c61a8bb90bf5044 (.PPAM)
f8d9858e2029276c48e1e7aefc168269ba73450bfba41d49d47aa61092dd0cf9 (.PPAM)
0fabe8bad86d907040ba52fc7fc59e1626a4ea86bb24baa85a94734b4517fddb (.PPAM)
0b2bdf84b652a409fc9875e73d896945143ad918556caeba75526740714d02ea (.PPAM)

Happy Hunting !!