- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising VenomRAT.
- VenomRAT is a remote access tool discovered by 2020, and it is used by threat actors to control the infected systems remotely.
[caption id="attachment_18224" align="aligncenter" width="1090"]
VenomRAT - Threat actor’s post on the cybercrime forum[/caption]
Analysis and Attribution
Information from the Post
The threat actor has listed two versions of the RAT, the second version of the RAT includes HVNC (Hidden Virtual Network Connection).
- Features of the RAT include:
- Connect with the system remotely.
- Get the system information
- Remote Shell
- TCP Connection
- Reverse Proxy
- Registry Editor
- UAC (User Access Control) Exploit
- Disable WD (Windows Defender)
- Format All Drivers
- Change client name
- Enable install
- Anti kill
- Hide file
- Hide folder
- Persist on the system as startup / persistence
- Change registry name
- Encrypted connection
- Enable keylogger Offline/Online
2. VenomRAT with HVNC
- HVNC Features, Included all the features of the Venom RAT
- HVNC Clone Profile
- Hidden Desktop
- Hidden Browsers
- Support WebGL
- Hidden Chrome, Firefox, Edge, Brave
- Hidden Explorer
- Hidden Powershell
- Hidden Startup
- Reverse Connection
- Remote Download+ Execute
This RAT was discovered by 2020, and based on open-source research this RAT is built on top of QuasarRAT which is an open-source legit tool used as a Remote Access Tool.
- The threat actor joined in October 2021 and has a deposit on the forum 0.010092 BTC.
- The main activity of the threat actor is related to advertising for VenomRAT.
- The reliability of the actor can be rated Fairly reliable (C).
- The credibility of the advertisement can be rated Probably true (2).
- Giving overall source credibility of C2.
Impact & Mitigation
- This type of malware gives the attackers the ability to control the victim machine and wreak havoc in the system.
- Avoid downloading suspicious documents from unknown sources.
- Avoid clicking on suspicious links.
- Enable the visibility of files extensions, and have a vigil eye on the file extensions.
- Update the system and all the applications to the latest patches and updates.
- Ensure the usage of MFA.
- Use up-to-date antivirus and anomaly detection tools.
- Use updated EDR solutions that help in monitoring the network.