RevengeRAT
RevengeRAT is a part of a threatening malware campaign that is targeting computer users located in Europe, Asia, the Middle East and North America. RevengeRAT is being distributed through a variety of Web pages that are hosted on public platforms such as Blogspot and Pastebin, also using these pages as part of RevengeRAT's Command and Control infrastructure used to carry out RevengeRAT attacks. Reports of the latest RevengeRAT campaign started appearing in March 2019, even though the RevengeRAT Trojan has been around since 2016. This current malware campaign associated with RevengeRAT has become known as 'Aggah' and seems to target large businesses and government networks.
Table of Contents
How the RevengeRAT Trojan Attacks a Computer
The RevengeRAT Trojan has been available to everyone since 2016, released on hacking forums. Once RevengeRAT is installed, RevengeRAT allows the attacker to control the infected computer from afar. With RevengeRAT, criminals can gain access to files on a computer device, running memory processes and services, spying on the victim's activities, and making changes to the affected device. RevengeRAT also allows criminals to gain access to peripherals connected to the infected computer, for example allowing them to track keystrokes on the infected computer's keyboard or gaining access to the camera or microphone to monitor the infected computer's surroundings.
How RevengeRAT is Being Distributed in the Aggah Campaign
RevengeRAT has been distributed in a large variety of ways since it was first created, which include typical malware delivery methods that are well-known, such as the use of spam email attachments or corrupted online advertisements and corrupted websites. The main way in which RevengeRAT is delivered in the Aggah campaign is through corrupted documents that use embedded macros to download and install RevengeRAT onto the victim's computer. Embedded macros associated with this campaign uses posts on Blogspot to obtain a script that uses Pastebin content to download additional content until finally RevengeRAT is installed and connected to its Command and Control server. The initial decoy file, which begins the RevengeRAT attack, can be disguised in a variety of ways and can change depending on the victim. One sample observed on March 27, 2019, was delivered in a fake email message from a bank with the subject line 'Your account is locked,' tricking the victim into opening the attached file thinking that it is an official document from a bank.
How RevengeRAT Infects a Device
When the victim opens the decoy file, it displays an image to trick the victim into enabling Microsoft Office macros. Allowing this to happen allows RevengeRAT to be installed on the victim's computer via a process with multiple steps involving various, different URLs. As soon as RevengeRAT is installed, this Trojan will disable Microsoft Defender and try to disable other security content on the victim's computer. The RevengeRAT variant installed in these recent attacks is nicknamed 'Nuclear Explosion' and seems to carry out a typical backdoor RAT attack. One link associated with RevengeRAT distribution has been clicked nearly two thousand times with targets in more than twenty different countries. This hints to the fact that it is very likely that RevengeRAT attacks have been successful in reaching potential victim particularly.
Protecting Your Data from RevengeRAT
The best protection against RATs like the RevengeRAT Trojan is to have a security product that is fully up-to-date installed on your computer. Apart from having a reliable anti-malware program, malware researchers also advise computer users to make sure that other security devices on their computer are enabled, such as a reliable firewall and an anti-spam filter. PC security researchers advise disabling macros in Microsoft Office and avoiding downloading suspicious files, unsolicited email attachments particularly.
