Cyble – Venom RAT Expands Its Operations By Adding A Stealer Module 

 RAT capable of stealing Credit Card Information

A RAT (Remote Access Trojan) is a tool used by Threat Actors (TAs) to gain full access and remote control of a victim’s machine, including mouse and keyboard control, file access, network resources access, etc.  

Cyble Research and Intelligence Labs (CRIL) has been actively monitoring such RATs and blogging about them as and when they emerge. Recently, CRIL came across a newer version of the popular malicious remote administration software Venom RAT.  

The newest version of venom RAT has a stealer module that steals sensitive information and exfiltrates the stolen data from the victim’s machine to its C&C server. The older version of the Venom software contains the functionalities such as Remote access, HVNC (Hidden Virtual Network Computing – taking control of a victim’s computer without their knowledge), keylogger, etc. The below image shows the homepage of the Venom RAT site. 

The TA sells Venom malware with the following plans: 

The TA also provides VPS (Virtual Private Server) servers as a BULLETPROOF service with the features mentioned in the figure below. 

Old Version of Venom RAT and Its Features: 

The old Version of Venom RAT has various features, including HVNC, allowing TAs to gain access to the infected system and perform the below activities in the victim’s machine. 

• Creating hidden Desktop 
• Creating hidden Startup 
• Launching hidden Explorer and PowerShell 
• Launching hidden Browsers such as Chrome, Firefox, Edge, Internet Explorer, Pale Moon & Pale Waterfox 

The malware also supports the following REMOTE SYSTEM features on the victim’s system: 

• Remote Keylogger 
• Collecting system information 
• Controlling File manager, Task manager, and Registry editor 
• Executing remote Shell commands 
• Monitoring TCP connection 
• Performing reverse proxy attacks and UAC exploits 
• Disabling Windows Defender 
• Utilizing the system’s Microphone to record 
• Downloading and executing files into disk/memory 
• Using an active scheduler to achieve multitasking 

Additionally, the Venom RAT has the below REMOTE FUN capabilities in the victim’s machine. 

• Switch On/Off the system monitor 
• Show/Hide Taskbar, start button, explorer, clock, tray & mouse pointer 
• Enable/Disable the task manager & registry editor 
• Disable UAC (User Access control) etc. 

The RAT can also perform operations such as Anti-kill (prevents termination of the RAT client), creating mutex, start-up entry for persistence, changing the RAT client icon, client name, and encrypted connection with its Command and Control (C&C) server. 

New Features of Venom RAT

The latest version of Venom RAT is updated with stealer module that collects victims’ sensitive information such as passwords, history, autofill, bookmarks, and cookies from various browsers and exfiltrates it to the TA’s C&C server.  

The image below shows the new features added in the latest version of Venom RAT. 

Technical Details

We have taken the sample hash (SHA256), 4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7, for our analysis. It is a 32-bit executable file compiled with Microsoft visual C/C++ compiler, as shown below.

Upon execution of “newFile.exe”, it drops a copy of itself into the root of %appdata% location with the filename “svchost.exe” masquerade as a legitimate file. 

Then, the malware creates a task-scheduler entry for the dropped file to establish persistence by executing the following command line, which runs the malware every time user logs on to the machine. 

• schtasks  /create /f /sc onlogon /rl highest /tn “svchost” /tr ‘”C:Users<Admin>AppDataRoamingsvchost.exe”‘ 

After creating the task-scheduler entry, the malware drops and runs a BAT file named “tmp61C0.tmp.bat” in the %temp% folder. The BAT file executes the dropped “svchost.exe” and deletes itself.  

Upon execution of “svchost.exe”, it decrypts and loads a new module named “client.exe” in memory which is a .NET-compiled “Venom RAT” executable.  

Then, the malware further loads other venom RAT .NET modules such as Recovery, Keylogger, SendMemory, and Extra in the same memory to perform stealing and keylogging activities. 

Recovery (Stealer) Module

The Recovery module is responsible for Venom RAT’s stealing activities. It steals users’ sensitive information, such as passwords, cookies, downloads, bookmarks, histories, and autofill details from browsers and exfiltrates the stolen data to the C&C server. Venom RAT can steal information from more than 20 browsers, including 360browser, Chromium, Opera, Comodo Dragon, 7Star, etc. The below figure shows the code snippet used by the RAT to steal sensitive browser-related information. 

The malware calls functions such as DetectBankingServices(), DetectPornServices(), and DetectCryptocurrencyServices() to fetch domain names related to categories such as banking, porn, and cryptocurrency, as shown in Figure 7. 

To fetch domain names, the malware specifically looks for keywords related to cryptocurrencies, banks, and porn from the files such as bookmarks, cookies, downloads, and histories and extracts domain names if the keyword matches.  

The figure below shows the targeted keywords of Venom RAT to steal information from the victim’s machine. 

Venom RAT also steals credit card information such as Cardholder Name, Credit Card Number, Expiry Month & Year from the victim’s system. The Venom RAT uses a regular expression to identify the types of credit cards such as Amex, Maestro, Mastercard, Visa, etc., as shown below. 

After stealing all the information, the Venom RAT writes them into a JSON format and sends it to the C&C server. The figure below shows RAT’s code snippet for writing the collected information into JSON format.  

The below figure shows the configuration file of the Venom RAT, indicating that the RAT can perform operations such as clipper, grabber, etc.  

Conclusion 

Venom RAT is an effective malware that works stealthily, giving attackers unauthorized access to the victim’s machine. Threat Actors can then use the victim’s computer to perform various malicious activities such as installing and removing additional malware, manipulating files, reading data from the keyboard, harvesting login credentials, monitoring the clipboard, etc.  

TAs are constantly updating their software and adding new functionalities to make the threat hazardous to a wider set of potential victims. Cyble Research and Intelligence Labs will continue to monitor Venom RAT developments and keep our readers aware and informed. 

Our Recommendations 

• The initial infection may occur via spam email, so enterprises should use email-based security to detect phishing emails. One should also refrain from opening untrusted links and email attachments without verifying their authenticity. 
• The compiled Venom software binary is packed and protected by multiple layers. Using a reputed antivirus is thus recommended on connected devices, including PCs and laptops. The security software should have the latest security updates to detect malware families such as Venom RAT. 
• Avoid downloading files from untrusted sources and block URLs that could spread the malware, e.g., Torrent/Warez. 
• Refrain from opening untrusted links and email attachments without verifying their authenticity. 
• Use strong passwords and enforce multi-factor authentication wherever possible. 
• Conduct regular backup practices and keep those backups offline or in a separate network.  
• Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.  
• Frequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and software. 

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs) 

Related

Source: https://blog.cyble.com/2022/12/13/venom-rat-expands-its-operations-by-adding-a-stealer-module/