Recently, Microsoft issued an alert, warning users about a remote access tool called RevengeRAT, also known as AsyncRAT. It is being used to target travel and aerospace companies with spear-phishing emails. The emails use social engineering tricks to prompt employees at these types of firms to open a poisoned Adobe PDF attachment which downloads a malicious Visual Basic file on the recipient’s machine.
In addition to the Microsoft alert, the security firm Morphisec recently flagged RevengeRAT as being at the center of a highly advanced Crypter-as-a-Service scheme that delivers multiple RAT families.
Morphisec has dubbed the Cryptor Service “Snip3,” and had this to say about it:
“If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments. If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload.
The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites.
The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.”
Microsoft notes that this basic strategy closely mirrors the one used by WannaCry and QuasarRAT in 2017 and 2018, a clue which may ultimately lead us to identify the attackers.
For their part, Microsoft has published a number of advanced hunting queries that security professionals can use if they detect these threats anywhere on their networks. This is a significant threat. Stay on your guard.