Shut Up and Hack

I like reading more than writing, and, in fact, I don't write too much.

Lurking Around Revenge-RAT

Two days ago the tweet below caught my attention, 1/54 at virustotal. A RAT is always an interesting topic for me since it’s a common practice to use some form of RAT to establish C&C in Red Team Exercises. So there’s always something to learn even if it’s done in a complete wrong way.

I opened the virustotal report, 1/54 indeed. Is Fortinet really good or are the others really bad, I wondered. Even after looking at the sample I still don’t know the answer.

Anyway, 1/54… I had to look at the sample. The tweet included a link to a forum thread where I could find a link to a blog hosted at blogger.com, with a link to a download page.

I downloaded the ‘Revenge-RAT v.0.1’ and extracted the rar file. Here’s the whole contents of the zip file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ unrar x Revenge-RAT\ v.0.1.rar .
UNRAR 5.21 freeware      Copyright (c) 1993-2015 Alexander Roshal

Extracting from Revenge-RAT v.0.1.rar

Enter password (will not be echoed) for Revenge-RAT v.0.1/GeoIP.dat:

Creating    ./Revenge-RAT v.0.1                                       OK
Extracting  ./Revenge-RAT v.0.1/GeoIP.dat                             OK
Revenge-RAT v.0.1/Mono.Cecil.dll - use current password ? [Y]es, [N]o, [A]ll A

Extracting  ./Revenge-RAT v.0.1/Mono.Cecil.dll                        OK
Creating    ./Revenge-RAT v.0.1/Plugin                                OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Active_Windows.dll             OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Clipboard_Manager.dll          OK
Extracting  ./Revenge-RAT v.0.1/Plugin/File_Manager.dll               OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Get_TCP_Connections.dll        OK
Extracting  ./Revenge-RAT v.0.1/Plugin/INFO.dll                       OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Installed_Programs.dll         OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Passwords.dll                  OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Pastime.dll                    OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Process_Manager.dll            OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Registry_Editor.dll            OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Remote_Shell.dll               OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Remote_WebCam.dll              OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Screen_Capture.dll             OK
Extracting  ./Revenge-RAT v.0.1/Plugin/Service_Manager.dll            OK
Extracting  ./Revenge-RAT v.0.1/Revenge-RAT v.0.1.exe                 OK
Extracting  ./Revenge-RAT v.0.1/sound.wav                             OK
Extracting  ./Revenge-RAT v.0.1/Stub.exe                              OK
All OK

My first surprise was…

1
2
$ file Revenge-RAT\ v.0.1/Revenge-RAT\ v.0.1.exe
Revenge-RAT v.0.1/Revenge-RAT v.0.1.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

A potentially malicious .net assembly and only one AV flagged it?! I loaded it in CFF Explorer. All looks pretty normal…

‘Revenge-RAT v.0.1.exe’
SHA256: f1fc15082123a79f5350a6bf7897f4ac9c7474619f96efc556754918f3926ae7

I loaded the assembly in ILSpy and surprise, surprise… no signs of packing or obfuscation.

Then I tried to load one of the DLLs in CFF Explorer, and first surprise. No, now I really mean it. ‘Unknown format’.

PEiD confirms this is not a valid PE file.

File to the rescue.

1
2
$ file Installed_Programs.dll
Installed_Programs.dll: gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT)

I think I’ve seen this before.

1
2
3
4
5
6
7
$ mv Installed_Programs.dll Installed_Programs.gz
$ gunzip Installed_Programs.gz
$ ll
total 16
-rw-r--r-- 1 rui rui 16384 Aug 26 22:22 Installed_Programs
$ file Installed_Programs
Installed_Programs: PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Ok, now makes sense. I opened it on ILSpy and once again, no packing or code obfuscation.

By looking at the code we can see the author simply reads the registry, nothing special. I decided to run it inside my VM to see how advanced was the almost FUD, fully undetected, ‘Revenge-RAT v.0.1’. A very basic builder that simply makes a few a changes to the ‘Stub.exe’ file.

If we look at the ‘Stub.exe’ code we can see there’s nothing special and the keylogger is also quite basic.

Even though it works, another surprise.

The following screens show more or less the features that ‘Revenge-RAT v.0.1’ includes.

I went through most of the ‘Revenge-RAT v.0.1’ features and files and found it to be a very basic and unstable RAT written apparently in Visual Basic.

The ‘IP Tracker’ uses the web site addgadgets.com to find the location of the infected machine. In my test lab it found my location accurately, as I was in a dark room ‘hacking’.

Besides, only some common features also usually seen in this kind of basic malware. ‘Process Manager’, ‘Registry Editor’, ‘Remote Connections’, ‘Remote Shell’, system information, among a few others.

Maybe the most interesting one, the ability of running files on the remote computer.

Which indeed launches ‘procmon’ on the remote victim.

Besides nothing really interesting to show.

Lessons learned

I feel like I wasted my time based on a 1/54 virustotal score. The author doesn’t try to hide what his code does in any way, the architecture is common and weak. As a good thing the author is not trying to sell the RAT and might only be trying to learn how to code. Even though learning C or C++ would be a better investment than learning any managed code language. Anyway, it might be, or it might not be, quite surprising that these types of basic tools are still used successfully to compromise some systems, as we can see in one of the YouTube videos posted by the author. In the video at some point we can see eventually 15 systems compromised, it is not that much, but it is still something. Even though the features are basic they are still enough, in 2016, to cause enough harm to ‘random’ users.

I sent the ‘Server.exe’ to virustotal, which is basically the ‘Stub.exe’ that was on the rar file initially submitted to virustotal and now, after two days, we can see that the detection rate is 41/57. Even though well-known and widely used AVs still don’t flag this file as malicious. Anyway, this only shows how much the AV industry is broken.

IOCs

For IOCs check the links below: