Two days ago the tweet below caught my attention, 1/54 at virustotal. A RAT is always an interesting topic for me since it’s a common practice to use some form of RAT to establish C&C in Red Team Exercises. So there’s always something to learn even if it’s done in a complete wrong way.
I opened the virustotal report, 1/54 indeed. Is Fortinet really good or are the others really bad, I wondered. Even after looking at the sample I still don’t know the answer.
Anyway, 1/54… I had to look at the sample. The tweet included a link to a forum thread where I could find a link to a blog hosted at blogger.com, with a link to a download page.
I downloaded the ‘Revenge-RAT v.0.1’ and extracted the rar file. Here’s the whole contents of the zip file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
My first surprise was…
A potentially malicious .net assembly and only one AV flagged it?! I loaded it in CFF Explorer. All looks pretty normal…
I loaded the assembly in ILSpy and surprise, surprise… no signs of packing or obfuscation.
Then I tried to load one of the DLLs in CFF Explorer, and first surprise. No, now I really mean it. ‘Unknown format’.
PEiD confirms this is not a valid PE file.
File to the rescue.
I think I’ve seen this before.
1 2 3 4 5 6 7
Ok, now makes sense. I opened it on ILSpy and once again, no packing or code obfuscation.
By looking at the code we can see the author simply reads the registry, nothing special. I decided to run it inside my VM to see how advanced was the almost FUD, fully undetected, ‘Revenge-RAT v.0.1’. A very basic builder that simply makes a few a changes to the ‘Stub.exe’ file.
If we look at the ‘Stub.exe’ code we can see there’s nothing special and the keylogger is also quite basic.
Even though it works, another surprise.
The following screens show more or less the features that ‘Revenge-RAT v.0.1’ includes.
I went through most of the ‘Revenge-RAT v.0.1’ features and files and found it to be a very basic and unstable RAT written apparently in Visual Basic.
The ‘IP Tracker’ uses the web site addgadgets.com to find the location of the infected machine. In my test lab it found my location accurately, as I was in a dark room ‘hacking’.
Besides, only some common features also usually seen in this kind of basic malware. ‘Process Manager’, ‘Registry Editor’, ‘Remote Connections’, ‘Remote Shell’, system information, among a few others.
Maybe the most interesting one, the ability of running files on the remote computer.
Which indeed launches ‘procmon’ on the remote victim.
Besides nothing really interesting to show.
I feel like I wasted my time based on a 1/54 virustotal score. The author doesn’t try to hide what his code does in any way, the architecture is common and weak. As a good thing the author is not trying to sell the RAT and might only be trying to learn how to code. Even though learning C or C++ would be a better investment than learning any managed code language. Anyway, it might be, or it might not be, quite surprising that these types of basic tools are still used successfully to compromise some systems, as we can see in one of the YouTube videos posted by the author. In the video at some point we can see eventually 15 systems compromised, it is not that much, but it is still something. Even though the features are basic they are still enough, in 2016, to cause enough harm to ‘random’ users.
I sent the ‘Server.exe’ to virustotal, which is basically the ‘Stub.exe’ that was on the rar file initially submitted to virustotal and now, after two days, we can see that the detection rate is 41/57. Even though well-known and widely used AVs still don’t flag this file as malicious. Anyway, this only shows how much the AV industry is broken.
For IOCs check the links below: