VenomRAT (Trojan) – Malware

Overview

VenomRAT, a sophisticated remote access tool (RAT), first emerged in June 2020 and quickly gained notoriety for its ability to exploit Microsoft Office macros, bypass security measures, and infiltrate systems with alarming efficiency. Unlike many other types of malware, VenomRAT is designed to provide attackers with persistent and deep access to infected machines, enabling them to perform a variety of malicious actions without detection. This powerful tool has been used to target both individuals and organizations, making it a serious cybersecurity threat.

The primary method of delivery for VenomRAT is through malicious attachments in spam emails, typically disguised as legitimate Microsoft Excel files. Once the user enables macros within the document, a specially crafted VBA macro is executed, downloading and installing the VenomRAT payload. The payload is often obfuscated, making it harder for traditional security tools to detect. This technique highlights how cybercriminals continually evolve their tactics to evade detection, leveraging common tools and behaviors like email attachments and macros to propagate their attacks.

Once installed on a victim’s system, VenomRAT is capable of a wide range of malicious activities, including credential theft, the exfiltration of sensitive data, the hijacking of cryptocurrency wallets, and the manipulation of system settings such as Remote Desktop Protocol (RDP) configurations and firewall rules. Some variants of VenomRAT even include cryptolocker capabilities, encrypting files and demanding a ransom in cryptocurrency for their release. These capabilities make it a highly versatile and dangerous piece of malware, suitable for a range of cybercriminal objectives, from espionage to financial theft.

Targets

Information

How they operate

Delivery and Initial Execution

VenomRAT is primarily distributed via phishing campaigns, with malicious Excel files being the most common delivery vector. These files often arrive as attachments in spam emails, luring the victim into enabling macros. Upon opening the infected document and enabling macros, a Visual Basic for Applications (VBA) script is executed. This script is heavily obfuscated to evade detection and analysis. The VBA macro acts as the initial payload downloader, de-obfuscating the code and downloading a trojan from a remote server. The trojan is typically saved as a file named “ijii.exe” in the victim’s AppData folder. This executable is a .NET application that is further obfuscated using Eazfuscator.NET, a tool designed to make reverse engineering and analysis much more difficult.

Payload and Functionality

Once executed, the downloaded trojan begins its attack lifecycle by loading a malicious library that has been decrypted through the calculation of an MD5 hash and the use of 3DES encryption. The trojan then loads the decrypted library into memory and executes its malicious functions. One of the first actions is the installation of a rootkit, based on the open-source r77 project. This rootkit hides the existence of the trojan, preventing detection by security software and making the malware more difficult to remove. The rootkit specifically hides files and processes with a “$77” prefix, further obscuring the malware’s presence.

In addition to the rootkit, VenomRAT also installs a number of tools designed to enhance its functionality. These include a UAC (User Account Control) bypass tool, which elevates the trojan’s privileges, and a credential-stealing trojan called Velos Stealer. Velos Stealer is capable of extracting saved login credentials from browsers, FTP clients, and other applications. It also exfiltrates sensitive data such as credit card information, cookies, and cache data. All the stolen data is saved in text files and compressed into a “Passwords.zip” file for easy exfiltration. These tools work in tandem to provide the attacker with valuable information and maintain a foothold in the compromised system.

Persistence Mechanisms

VenomRAT employs several techniques to ensure it persists on infected systems, even after reboots. One of the key methods it uses is modifying the system’s registry to establish autorun entries. This allows the malware to automatically start each time the system boots. In particular, VenomRAT manipulates the Remote Desktop Protocol (RDP) settings, creating a new user account called “Venom” with administrator privileges and enabling RDP. The malware also modifies the Windows firewall settings to ensure that the RDP port is open, facilitating remote access. To further entrench itself, VenomRAT also adds itself to the Windows Defender exclusion list and installs the r77 rootkit, ensuring that any attempts to remove the malware or block its activities are thwarted.

Exfiltration and Communication

VenomRAT is equipped with a variety of communication and exfiltration techniques to transfer stolen data back to the attacker. The malware uses a variety of methods to connect to command and control (C2) servers, including the use of ngrok.io, a service that creates secure tunnels to bypass firewalls and network defenses. It also uses PowerShell scripts and tools like WinSCP to transfer data to remote locations. The exfiltrated data is often sent to an FTP server or transmitted via email attachments, making it easy for the attacker to retrieve sensitive information from the victim. Additionally, newer variants of VenomRAT use Pastebin for receiving commands and downloading additional payloads, further enhancing its ability to maintain communication with the attacker while avoiding detection.

Encryption and Impact

Some variants of VenomRAT also incorporate a cryptolocker functionality, which encrypts files on the infected system and appends the “.Venom” extension. The encryption is typically done using AES and RSA algorithms, and victims are often presented with a ransom note demanding payment in cryptocurrency to decrypt their files. This feature adds another layer of impact, making VenomRAT not only a tool for remote control but also a potent threat in terms of data loss and extortion.

Conclusion

VenomRAT represents a sophisticated threat that combines multiple attack techniques to gain, maintain, and escalate access to infected systems. Through its use of phishing, obfuscation, credential theft, rootkits, and encryption, it provides attackers with powerful capabilities for long-term control and data exfiltration. Its persistence mechanisms and use of obfuscation make it difficult to detect and remove, making it a significant concern for organizations and individuals alike. As cyber threats continue to evolve, understanding the inner workings of malware like VenomRAT is crucial for developing effective defense strategies and mitigating the risk of such attacks.

MITRE Tactics and Techniques

1. Initial Access

Phishing (T1566): VenomRAT is primarily distributed through spam emails containing malicious attachments, typically disguised as Excel files. These emails lure victims into enabling macros, which triggers the infection chain.

Exploitation of Vulnerability (T1203): While not specifically targeting a vulnerability in Microsoft Office, the use of malicious macros takes advantage of user behavior (enabling macros) to run the payload.

2. Execution

User Execution (T1204): The malware relies on the user executing a malicious file, often an Excel document, that contains the malicious VBA macro. Once the user enables macros, the malware is executed.

Scripting (T1059): VenomRAT uses PowerShell scripts for further malicious actions, such as downloading additional payloads and exfiltrating data.

3. Persistence

Registry Run Keys / Startup Folder (T1547.001): VenomRAT modifies the registry to create persistence, particularly with its manipulation of the RDP settings, ensuring continued access to the system even after a reboot.

Create or Modify System Process (T1543): The malware installs and configures backdoors and rootkits to maintain persistence. It also installs the r77 rootkit and modifies AppInit_DLLs to ensure the backdoor is always active.

4. Privilege Escalation

Bypass User Account Control (T1088): Some variants of VenomRAT include a tool that bypasses User

Account Control (UAC), elevating the privileges of the malware to run with higher system permissions.

Exploitation for Privilege Escalation (T1068): By bypassing UAC and manipulating system settings, the malware gains elevated privileges for further exploitation, including the installation of malicious drivers and other tools.

5. Credential Access

Credential Dumping (T1003): VenomRAT includes the Velos Stealer module, which collects login credentials from browsers, FileZilla connection logs, and other sources. This information is then exfiltrated to the attacker.

Brute Force (T1110): While not directly stated in the technical details, the malware’s manipulation of RDP settings and creation of an administrative user account with known credentials suggests that it could use brute force or credential stuffing techniques to gain further access.

6. Defense Evasion

Obfuscated Files or Information (T1027): The entire VenomRAT payload, including the VBA macro and the .NET application, is heavily obfuscated to avoid detection by security tools. The use of tools like Eazfuscator.NET is employed to make reverse engineering difficult.

Rootkit (T1014): The use of the r77 rootkit enables VenomRAT to hide files, processes, and other traces of its presence, making it harder for security tools and system administrators to detect the malware.

7. Collection

Data from Local System (T1005): VenomRAT collects various sensitive data from the victim’s local system, such as saved passwords, desktop files, and browser data, which is then exfiltrated.

Clipboard Data (T1115): While not explicitly mentioned, VenomRAT could theoretically capture clipboard data if used in a way that involves sensitive information like passwords or cryptocurrency wallet addresses.

8. Exfiltration

Exfiltration Over Command and Control Channel (T1041): VenomRAT uses PowerShell scripts and other methods, such as WinSCP, to exfiltrate data over a remote connection.

Exfiltration Over Alternative Protocol (T1048): The malware uses ngrok.io for tunneling, which helps the attacker exfiltrate data while maintaining a low profile and bypassing traditional network security measures.

9. Impact

Data Encrypted for Impact (T1486): VenomRAT has versions that include a cryptolocker functionality. It encrypts files on the infected machine and appends the “.Venom” extension, demanding a cryptocurrency ransom for decryption.

Network Denial of Service (T1498): While primarily focused on exfiltration and credential theft, the manipulation of network settings (e.g., disabling firewall rules, enabling RDP) could also be leveraged to disrupt normal operations.

Reference: 

• VenomRAT: A remote access tool with dangerous consequences