We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
TrojanDropper:VBS/RevengeRAT
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
RevengeRAT, or Revenge, is a malware known to infect devices through malicious email attachments or malicious ads on compromised websites. Attackers use spear-phishing to deliver the malware as a Visual Basic (VB) script, contained in either .zip or .rar archives, or in .doc files. They also use emails or images embedded with links that redirect users to cloud-hosting sites, such as GoogleDrive, OneDrive, iCloud drive, which host the malware.
Read the following blogs for details:
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigate how the affected endpoint might have been compromised. Check web and email traffic to determine how the malware arrived.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
- Turn on the following attack surface reduction rule to block or audit activity associated with this threat:
You can also visit our advanced troubleshooting page or search the Microsoft community for more help.
