VenomRAT

VenomRAT is a fake Remote Access Tool (RAT) but is actually a Remote Access Trojan designed for evil. Works on Windows XP to Windows 10, allows to steal credentials, monitor user activity and control infected systems remotely. Its fake appearance makes users install it by mistake, big security risk.

Key Insights

VenomRAT has many features that make it a powerful tool for cybercriminals. Can exfiltrate files in .doc, .docx, .txt, .log formats and can steal cryptocurrency wallets and browser data, autofill information, cookies, credit card details, and account passwords. Also has keylogging capabilities to record keystrokes and get sensitive information.

Distribution

This malware is distributed through phishing emails and malspam campaigns. Attackers use obfuscated macro attachments to evade detection. Once the user opens the malicious attachment, VenomRAT is dropped. Also distributed through fake Proof of Concept exploits on GitHub, to trick users into executing the malware.

Evolution and Development

VenomRAT is a fork of Quasar RAT and has been updated several times. Despite its wide use, it is poorly designed, with hardcoded IPs and misuse of tunneling tools like Ngrok. Some variants have built-in encryption and ransomware capabilities but those features are also poorly designed making detection and file recovery easier.

Known Variants

VenomRAT has a few notable variants, such as versions 5.6 and 6.0.3. In version 5.6, a functional Hidden Virtual Network Computing (HVNC) module was added, allowing attackers to remotely control compromised systems more effectively. Version 6.0.3 built on these capabilities, but details about the specific enhancements in this update remain scarce.

Mitigation Strategies

Don't download attachments from unknown sources.
Update your OS and security software regularly.
Be careful with emails that ask you to execute macros.
Implement strong email filtering to detect and block phishing.

Targeted Industries or Sectors

VenomRAT has been used in attacks against multiple sectors, especially in Latin America. Industries affected are hospitality, finance, manufacturing, industrial and government sectors. The malware is versatile and can be adapted to any target depending on the attackers' goals.

Associated Threat Actors

The threat actor TA558 has been linked to VenomRAT campaigns. Active since at least 2018, TA558 has been targeting entities in Latin America, using various malware including VenomRAT to breach networks and exfiltrate sensitive data.