VenomRAT: A remote access tool with dangerous consequences

Summary

  • Name: VenomRAT
  • Discovered in June 2020
  • Distributed as malicious attachments in spam emails
  • Uses obfuscated Microsoft Office macro script to download malicious files, then executes functions from library and uses PowerShell scripts for further actions
  • Written in C#, though the dropper is a VBA macro
  •   Encrypted files have a ‘.Venom’ extension
  • 32-bit executable called “ijii.exe”
  • Uses PowerShell scripts to prepare the compromised environment for activity that includes collecting credentials, stealing cryptowallets, changing firewall settings and editing RDP settings

Introduction

The first messages about VenomRAT started to appear in June 2020. By analyzing the code, analysts concluded that this new threat is a modified fork of Quasar RAT. The malware itself was introduced on malware-oriented forums, in posts advertising it as an effective tool to remotely access computers for $150 per month.

Acronis

Technical details

Delivery

VenomRAT is delivered as a Microsoft Excel file (SHA256:                                       f57a3f475e7eadf3c090159567858ca5f13323d32300214a9032e44105baa8b3). The file we examined is 177,152 bytes in size and was first reported on October 20, 2021:

Acronis

The downloaded  backdoor (SHA256: 0cf9f47df9a93dd855aa9fc56d46f880a7bed1fec2a102559e5a3addd81bf4da) has a size of 404,480 bytes and up to 49 detections at this moment, according to VirusTotal.

It is worth noting, that the domain www.js-hurling.com from which the malware is downloaded, is actively used to spread malicious samples even today.

The domain was registered in Pakistan:

Acronis

It uses a free Let’s Encrypt TLS certificate (valid for three months) to establish a protected connection.

Acronis

Installation

After the document is opened and active content is enabled, a VBA macro is executed. The macro contains a simple handler inside that’s executed when the spreadsheet is opened. This handler is used to de-obfuscate code and download a trojan.

Acronis
Acronis

The trojan-downloader then tries to retrieve the Venom backdoor via this link:

hxxps://www.js-hurling[.]com/fkafgdfaupdatesosnfkgjfgafgfjrsgbbfsjbbfgsgk/migfbewnaeopmguywjfffrvgqg.exe

and to save it as:

%AppData%\ijii.exe

After that, it tries to launch the downloaded file.

Acronis
Acronis

Obfuscation

Obfuscation is used in every module of the trojan, including the VBA macro and PE module, which is downloaded from the attackers’ server. The VBA macro contains many initializations of random variables to complicate malware analysis.

Acronis

The downloaded file is a .NET application, and heavily obfuscated.

Acronis

The obfuscation is done with Eazfuscator.NET — this tool’s settings can be found among other build parameters:

Acronis
Acronis

Payload

The malware calculates MD5 hash of ‘Tjhvduhdvp’ string (MD5: f488f2fdeb961abb88630ba346e802f2) and uses it to decrypt the resource named ‘Hyjzhpv‎’.

Acronis
Acronis

The resource is encrypted using 3DES in CBC mode. It is in fact a malicious library (SHA256: f661fe535cae81b32c741f8b1ef2f02a2fda648d9f5b7264dd6e350494600e89), which becomes clear after the decryption.

The malware then loads the decrypted library using Assembly.Load() and runs its ‘P7rdvOsRE2’ method using Invoke().

Acronis

After being executed, the malware downloads and installs a DLL with a rootkit. This rootkit is based on the open-source project called r77. The rootkit hides any files and processes with the prefix ‘$77’, which is why all used binary files contain it in their names.

Acronis

The downloaded package also contains a tool to bypass UAC (SHA256: 1bb6f045a9218bacd2c0f35f2e9fb3f0a92f5bdd7efd207b070c47707a6ae82d) using UACSilentCleanup. The installer modifies AppInit_Dll’s auto-load mechanism to include ‘r77-x86.dll’ and ‘r77-x64.dll.’

The package also contains Velos Stealer, a trojan written in C# (SHA256: f053af636e8ec15d133a92aceb4187027aa7a8d4e91e8217e87155037fbdc6ef). It is capable of stealing desktop files, FileZilla connection logs and browser data (saved passwords, credit card data, cookies and cache). This data is then saved into separate .txt files and compressed into ‘Passwords.zip’. Another ‘.bat’ script is used to install a UPX-packed UltraVNC — a popular remote access tool.

To install RDP, the malware downloads a few scripts and binaries from the hardcoded IP address to perform the following actions:

  •   Empties %TEMP% folder from created files and kills cmd, conhost, installrdp, installrdp, updaterdp, Install and winvnc processes;
  •   Enables RDP by manipulating registry keys;
  • Modifies firewall settings to allow access to Remote Desktop port;
  •   Adds %ProgramFiles%\\RDP Wrapper to WindowsDefender exclusion list;
  • Creates user Venom with Venom password as an admin with an access to Remote Desktop usage.

Some variants of Venom malware have a built-in AES+RSA encryption tool — a cryptolocker that blocks access to files, encrypting them and adding the ".Venom" extension. These variants drop a file called ‘HOW-TO-RECOVER-YOUR-FILES.txt’ demanding $999 in ransom (in the form of cryptocurrency) and an address to the cybercriminals’ crypto wallet.

Network activity

The network connection is performed with the help of ngrok.io, which is downloaded from ‘hxxp://91.134.207[.]16/ngrok.exe.’ It is then used to enumerate available tunnels and to transfer data. To exfiltrate data, it is put onto an FTP server through PowerShell or WinSCP. The file with data is then sent as an email attachment using either a PowerShell script (%TEMP%\send.ps1) or blat.exe.

One of the latest variants uses ‘pastebin.com’ to receive commands and downloads files from ‘hxxp://ip-api[.]com/json/’.

Conclusion

VenomRAT is a fork of Quasar RAT that is promoted online as a (benevolent) remote access tool for Windows machines. In reality, it’s an info-stealing trojan that can be used for malicious purposes.

On a technical level, VenomRAT is poorly designed, with hardcoded IPs and misuses of Ngrok tunneling tools. Some of the variants can contain built-in encryption and file-stealing ransomware functionality that also have some significant design flaws, making detection and file recovery easier. VenomRAT is an example of a low-quality malware that can be used to perform some attacks, but its capabilities are far below other known Quasar RAT forks. The chances of it being used by any serious threat actor are very low — at least, until a better version is released.

Acronis Cyber Protect detects all the malicious activities of VenomRAT.

Acronis
Acronis
Acronis

IoCs

File name
SHA256
NitroGenerator.exe
39edd6c7cf0008eeab360da49cf26f4dd9b1c72dd98bdf2635efe172808d0e63
$test
c2b8750af042005a0748e5c821e6ca8d7d7fb5ca4445f6fe46be9c9e1189e13b
ijii.exe
0cf9f47df9a93dd855aa9fc56d46f880a7bed1fec2a102559e5a3addd81bf4da
r77-x86.dll
dc6ce53e100795c72f4db35a8cfd9294cc564cd82c8f59468fa94c7c0cf0b0de
$77-Otohits.exe
638a7dfb0adbe402ea3ecfa8f1b838757691b9adef4cdce005668906422b230c
$77-Venom.exe
1577f8436ea08d52e379edf8c49192fedafda652697a64b4c400eff4c64f9716
$77Java_Updater.exe
46f002ba2109accfc64faf6707bd6703e6d86d6a4bfe9e35d2d9ca5aff016121
Lime_text.exe
60444b4af2e533743cdba84e40b07a7829dd00cc7313e7ca98f544e672f79caf