RevengeRAT Trojan Gives Hackers Access To Your Data. Recently, Microsoft issued an alert warning users about a remote access tool called RevengeRAT, also known as AsyncRAT. It targets travel and aerospace companies with spear-phishing emails. The emails use social engineering tricks to prompt employees at these types of firms to open a poisoned Adobe PDF attachment that downloads a malicious Visual Basic file on the recipient’s machine.
In addition to the Microsoft alert, the security firm Morphisec recently flagged RevengeRAT Trojan giving access to Hackers as being at the center of a highly advanced Crypter-as-a-Service scheme that delivers multiple RAT families.
Morphisec has dubbed the Cryptor Service “Snip3,” and had this to say about it:
“If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script executes within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments. If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload.
The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers and then uses a UTF-8-encoded PowerShell and file-less techniques to download three additional stages from pastebin[.]com or similar sites.
The Trojans continuously re-run components until they inject them into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.”
Microsoft notes that this basic strategy closely mirrors the one used by WannaCry and QuasarRAT in 2017 and 2018, a clue that may ultimately lead us to identify the attackers.
For their part, Microsoft has published several advanced hunting queries that security professionals can use if they detect these threats anywhere on their networks. RevengeRAT is a significant threat that allows hackers into your computer – so stay on your guard.