Cyble-Blogs-RAT

Venom RAT expands its operations by adding a Stealer Module 

 RAT capable of stealing Credit Card Information

A RAT (Remote Access Trojan) is a tool used by Threat Actors (TAs) to gain full access and remote control of a victim’s machine, including mouse and keyboard control, file access, network resources access, etc.  

Cyble Research and Intelligence Labs (CRIL) has been actively monitoring such RATs and blogging about them as and when they emerge. Recently, CRIL came across a newer version of the popular malicious remote administration software Venom RAT.  

The newest version of venom RAT has a stealer module that steals sensitive information and exfiltrates the stolen data from the victim’s machine to its C&C server. The older version of the Venom software contains the functionalities such as Remote access, HVNC (Hidden Virtual Network Computing – taking control of a victim’s computer without their knowledge), keylogger, etc. The below image shows the homepage of the Venom RAT site. 

Figure 1 – Homepage of Venom software site 

The TA sells Venom malware with the following plans: 

Figure 2 – Price details of Venom RAT malware 

The TA also provides VPS (Virtual Private Server) servers as a BULLETPROOF service with the features mentioned in the figure below. 

Figure 3 – TAs VPS features 

Old Version of Venom RAT and Its Features: 

The old Version of Venom RAT has various features, including HVNC, allowing TAs to gain access to the infected system and perform the below activities in the victim’s machine. 

  • Creating hidden Desktop 
  • Creating hidden Startup 
  • Launching hidden Explorer and PowerShell 
  • Launching hidden Browsers such as Chrome, Firefox, Edge, Internet Explorer, Pale Moon & Pale Waterfox 

The malware also supports the following REMOTE SYSTEM features on the victim’s system: 

  • Remote Keylogger 
  • Collecting system information 
  • Controlling File manager, Task manager, and Registry editor 
  • Executing remote Shell commands 
  • Monitoring TCP connection 
  • Performing reverse proxy attacks and UAC exploits 
  • Disabling Windows Defender 
  • Utilizing the system’s Microphone to record 
  • Downloading and executing files into disk/memory 
  • Using an active scheduler to achieve multitasking 

Additionally, the Venom RAT has the below REMOTE FUN capabilities in the victim’s machine. 

  • Switch On/Off the system monitor 
  • Show/Hide Taskbar, start button, explorer, clock, tray & mouse pointer 
  • Enable/Disable the task manager & registry editor 
  • Disable UAC (User Access control) etc. 

The RAT can also perform operations such as Anti-kill (prevents termination of the RAT client), creating mutex, start-up entry for persistence, changing the RAT client icon, client name, and encrypted connection with its Command and Control (C&C) server. 

New Features of Venom RAT

The latest version of Venom RAT is updated with stealer module that collects victims’ sensitive information such as passwords, history, autofill, bookmarks, and cookies from various browsers and exfiltrates it to the TA’s C&C server.  

The image below shows the new features added in the latest version of Venom RAT. 

Figure 4 – Features comparison of Old & New versions of Venom RAT  

Technical Details

We have taken the sample hash (SHA256), 4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7, for our analysis. It is a 32-bit executable file compiled with Microsoft visual C/C++ compiler, as shown below.

Figure 5 – Venom RAT static details 

Upon execution of “newFile.exe”, it drops a copy of itself into the root of %appdata% location with the filename “svchost.exe” masquerade as a legitimate file. 

Then, the malware creates a task-scheduler entry for the dropped file to establish persistence by executing the following command line, which runs the malware every time user logs on to the machine. 

  • schtasks  /create /f /sc onlogon /rl highest /tn “svchost” /tr ‘”C:\Users\<Admin>\AppData\Roaming\svchost.exe”‘ 

After creating the task-scheduler entry, the malware drops and runs a BAT file named “tmp61C0.tmp.bat” in the %temp% folder. The BAT file executes the dropped “svchost.exe” and deletes itself.  

Upon execution of “svchost.exe”, it decrypts and loads a new module named “client.exe” in memory which is a .NET-compiled “Venom RAT” executable.  

Then, the malware further loads other venom RAT .NET modules such as Recovery, Keylogger, SendMemory, and Extra in the same memory to perform stealing and keylogging activities. 

Recovery (Stealer) Module

The Recovery module is responsible for Venom RAT’s stealing activities. It steals users’ sensitive information, such as passwords, cookies, downloads, bookmarks, histories, and autofill details from browsers and exfiltrates the stolen data to the C&C server. Venom RAT can steal information from more than 20 browsers, including 360browser, Chromium, Opera, Comodo Dragon, 7Star, etc. The below figure shows the code snippet used by the RAT to steal sensitive browser-related information. 

Figure 6 – Venom RAT Recovery module 

The malware calls functions such as DetectBankingServices(), DetectPornServices(), and DetectCryptocurrencyServices() to fetch domain names related to categories such as banking, porn, and cryptocurrency, as shown in Figure 7. 

Figure 7 – Venom RAT stealer functions 

To fetch domain names, the malware specifically looks for keywords related to cryptocurrencies, banks, and porn from the files such as bookmarks, cookies, downloads, and histories and extracts domain names if the keyword matches.  

The figure below shows the targeted keywords of Venom RAT to steal information from the victim’s machine. 

Figure 8 – Keywords used to detect bank, crypto & pornography related domains 

Venom RAT also steals credit card information such as Cardholder Name, Credit Card Number, Expiry Month & Year from the victim’s system. The Venom RAT uses a regular expression to identify the types of credit cards such as Amex, Maestro, Mastercard, Visa, etc., as shown below. 

Figure 9 – RegEx to identify the credit card type 

After stealing all the information, the Venom RAT writes them into a JSON format and sends it to the C&C server. The figure below shows RAT’s code snippet for writing the collected information into JSON format.  

Figure 10 – Format to write the victims’ stolen information 

The below figure shows the configuration file of the Venom RAT, indicating that the RAT can perform operations such as clipper, grabber, etc.  

Figure 11 – Venom RAT configuration 

Conclusion 

Venom RAT is an effective malware that works stealthily, giving attackers unauthorized access to the victim’s machine. Threat Actors can then use the victim’s computer to perform various malicious activities such as installing and removing additional malware, manipulating files, reading data from the keyboard, harvesting login credentials, monitoring the clipboard, etc.  

TAs are constantly updating their software and adding new functionalities to make the threat hazardous to a wider set of potential victims. Cyble Research and Intelligence Labs will continue to monitor Venom RAT developments and keep our readers aware and informed. 

Our Recommendations 

  • The initial infection may occur via spam email, so enterprises should use email-based security to detect phishing emails. One should also refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • The compiled Venom software binary is packed and protected by multiple layers. Using a reputed antivirus is thus recommended on connected devices, including PCs and laptops. The security software should have the latest security updates to detect malware families such as Venom RAT. 
  • Avoid downloading files from untrusted sources and block URLs that could spread the malware, e.g., Torrent/Warez. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Conduct regular backup practices and keep those backups offline or in a separate network.  
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.  
  • Frequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and software. 

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Execution T1204 
T1059 
T1047 
User Execution 
PowerShell 
Windows Management Instrumentation 
Persistence T1053 Scheduled Task/Job 
Privilege Escalation T1055 Process Injection 
Defense Evasion T1036 
T1562 
T1497 
Masquerading 
Disable or Modify Tools 
Virtualization/Sandbox Evasion 
Credential Access T1056 
T1003 
Input Capture 
OS Credential Dumping 
Discovery T1057 
T1082 
T1518 
Process Discovery System
Information Discovery 
Security Software Discovery 
Collection T1005 Data from Local System 
Command and  Control T1071 
T1105 
Application Layer Protocol 
Ingress Tool Transfer 

Indicators of Compromise (IOCs) 

Indicators Indicator  
Type 
Description 
0ee108a8e3b9cddad2cceb2648072fe2 
fce82d4a7aefd76ed3239fb6f33bbd7b6dce87a9 
4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7 
MD5 
SHA1 
Sha256 
Venom Client 
eeb4af560710c06455f846a1e3eef0de 
962d9283e6dea114fd616a231418c342cdb58fe8 
1e3ace568ea7584bf49c4e9d32ec3d2a1bb917742052d5fe4b1a0adea7470003 
MD5 
SHA1 
Sha256 
Stealer module 
(Recovery.dll) 
87ed8187643b180efb068db7309448828e34ba66409ca68e314cf6b53f33401e 
324caef85ed86998e898ce9490bda9d993751b8275e8190717204f0748fcf906 
f988dcade061ebe1e2aaefde01786dde73160492a773b53110089d97acabf8c9 
2b27061d029faa995a787e395345c1be65a8864bfb50cbc033672ba71f8f1e12 
4fab3185d83d21313798b2e0f92ef20e9efb26c11b5d876e25444fc4c7bd6fff 
5786cd75c8fc654348208ab679df50edff5494376238c9c17177da0536466ef9 
e0d95df680a655ef69e874babf4e075597d612f0476a4742e6f97a1e57b05233 
d90a10f61c344d5770f6360129db890eb41c53d296998de17b25d952ad704afd 
1f99beace5e3a920c5cd65117b382cf2d0055f0cc7ef2601de777e44bc2bdb67 
f45d96223b4ef0023b6b223210bd7c83e46bfc05f1e9c24cea34db7574943d30 
66c2b9e27a9a971df37c45652896967118daaa38bd2915532c2663d3079a0d92 
0631aae7338f8be8a94eae6a9bf9ce8703fe8e1f7e554ec5f7dd98f01bc6c34e 
2f5a1ae3ab381216697a3bdbaa1dfb936ab25c84091f44ab5ccd5d53234e4dc9 
46c8a82cefa9baac090e746071981975113bd0c999b20c2575fdad1105c0c824 
1baa58e7594184fc52d2d0442973935931ee353af068924717e24c22b963d8f3 
9543e4c5dbf164377c97bca3472be97875a4a9e4c4ef3d9c3607e18f31faf401 
a86589aea28ac105a92a5a7e5b01eaced80750409f609ee63655f55b1bc90324 
1cca1529cf29ea8c716a674a77af9e2f021ea43228a3b42db0e617ab64c8d226 
1e3fe954ee300886d431cca1fcd4d28987953eff5e54d45779c46d181f24dd17 
46000c1895c7cdb889d3e155be38600fc1aa4ea4f3f743033fbca49c0b3f1003 
Sha256 Venom Client 
executables 

Recent Blogs

Colombia OT Devices Blog

CRIL investigates the evolving threat landscape of hacktivism leading to cyberattacks on Colombian Critical Infrastructure and Zero-day Sales by Hacktivists.

Read More »
Bl00dy Ransomware Targets Indian University

CRIL analyzes Bl00dy Ransomware’s recent targeting of an Indian University via exploitation of the PaperCut vulnerability.

Read More »
PixBankBlog ATS Blog

Cyble analyzes PixBankBot, a new ATS-based malware that targets Brazilian banks through the popular Pix instant payment platform.

Read More »
Scroll to Top