Revenge RAT is a freely available remote access tool written in .NET (C#).[1][2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1123 | Audio Capture |
Revenge RAT has a plugin for microphone interception.[1][2] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Revenge RAT creates a Registry key at |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Revenge RAT uses the PowerShell command |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.[2] |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Revenge RAT uses Base64 to encode information sent to the C2 server.[1] |
Enterprise | T1202 | Indirect Command Execution |
Revenge RAT uses the Forfiles utility to execute commands on the system.[2] |
|
Enterprise | T1105 | Ingress Tool Transfer |
Revenge RAT has the ability to upload and download files.[1] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Revenge RAT has a plugin for keylogging.[1][2] |
Enterprise | T1003 | OS Credential Dumping |
Revenge RAT has a plugin for credential harvesting.[1] |
|
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Revenge RAT has a plugin to perform RDP access.[1] |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Revenge RAT schedules tasks to run malicious scripts at different intervals.[2] |
Enterprise | T1113 | Screen Capture |
Revenge RAT has a plugin for screen capture.[1] |
|
Enterprise | T1218 | .005 | Signed Binary Proxy Execution: Mshta |
Revenge RAT uses mshta.exe to run malicious scripts on the system.[2] |
Enterprise | T1082 | System Information Discovery |
Revenge RAT collects the CPU information, OS information, and system language.[1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Revenge RAT collects the IP address and MAC address from the system.[1] |
|
Enterprise | T1033 | System Owner/User Discovery |
Revenge RAT gathers the username from the system.[1] |
|
Enterprise | T1125 | Video Capture |
Revenge RAT has the ability to access the webcam.[1][2] |
|
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Revenge RAT used blogpost.com as its primary command and control server during a campaign.[2] |
ID | Name | References |
---|---|---|
G0089 | The White Company |