Exposing the Covert Threat: RATs and the VenomRAT Deception

Background

In the ever-evolving landscape of cybersecurity threats, Remote Access Trojans (RATs) stand out as a particularly insidious form of malware. RATs are a type of malware designed to infiltrate and compromise target systems while maintaining covert, remote control. RATs are typically delivered through social engineering tactics, email attachments, infected downloads, or exploiting software vulnerabilities. Once activated, RATs establish a hidden connection between the attacker’s command-and-control server and the compromised device. Understanding what RATs are, how they operate, and their use in cyberattacks, will help organizations develop strategies to defend against these stealthy adversaries.

Introduction

On August 17, 2023, the Zero Day Initiative, an arm of Trend Micro, revealed a severe Remote Code Execution (RCE) vulnerability, denoted as CVE-2023-4047, impacting the widely used WinRAR software. This security flaw allowed malicious actors to execute unauthorized code on systems running WinRAR. This report delves into an incident centering on the creation and dissemination of a deceitful Proof of Concept (PoC) in response to a recently unveiled RCE vulnerability in WinRAR. It sheds light on the actions of the threat actor, the development of the counterfeit PoC, and investigates potential motivations behind this deceptive act.

Shortly after the public disclosure of the CVE-2023-40477 WinRAR vulnerability, an opportunistic actor, known as “whalersplonk,” swiftly produced a deceptive Proof of Concept (PoC) on GitHub. This counterfeit PoC was intended to exploit CVE-2023-40477 but led to the installation of VenomRAT through an infection chain. The fake PoC was based on existing code for a SQL injection vulnerability in GeoServer (CVE-2023-25157), lending credibility to the attacker’s misleading GitHub repository. The script, named “poc.py,” incorporated malicious code that was executed successfully, albeit with an eventual exception. Instead of exploiting WinRAR, as claimed, it initiated a chain of events culminating in VenomRAT installation.

This incident did not seem directed at security researchers but rather appeared to be an opportunistic endeavor, potentially targeting other malicious actors exploring new vulnerabilities. The timeline suggests that the threat actor developed infrastructure and payloads independently from the fake PoC. The counterfeit PoC, a Python script labeled “poc.py,” was initially uploaded as “CVE-2023-40477-main.zip” on VirusTotal but failed to execute correctly due to code removal. It triggered an infection chain designed to download and run a batch script, leading to VenomRAT payload installation.

The actor’s GitHub repository employed social engineering tactics. A “README.md” file aimed to deceive users into compromising their systems, offering a summary of CVE-2023-40477, instructions for “poc.py,” and a video hosted on “streamable.com”. Analysis of the video’s metadata revealed over 100 views, displaying the actor’s desktop, including a task manager showing “Windows.Gaming.Preview,” consistent with VenomRAT. The VenomRAT variant configuration outlined its communication with a command and control (C2) server, incorporating a keylogger function and communication for receiving commands.

Analysis of VenomRAT Malware

This malicious software, VenomRat or Venom Software, is a RAT readily available for purchase in both dark web forums and websites accessible through a straightforward Google search. Its pricing structure varies from $550 to $75, making it a relatively accessible tool for cybercriminals. This malicious softwarre is versatile in its targeting, as it can infiltrate systems running Windows XP, 7, 8, 8.1, and 10 operating systems. In line with the typical functionalities of RATs, VenomRat endows criminal hackers with direct access to compromised systems. Notably, VenomRat exhibits the following capabilities:

1. Exfiltration:

• Extraction of files in formats such as .doc, .docx, .txt, and .log.
• Theft of cryptocurrency wallets.
• Harvesting browser data, encompassing automatic form completions, browser cookies, credit card details, account credentials, and FileZilla FTP data.
• Keylogging to record keystrokes.

2. Obfuscation:

• Concealing its presence in the Windows Task Manager.

3. Video Recording:

• Enabling video recording through the infected device’s webcam.

4. Execution and Installation:

• Facilitating the installation and execution of additional software.

This multifaceted toolkit ultimately exposes the victim and the network in which the compromised device resides to potential ransomware attacks that could encrypt an entire corporate network, posing a grave threat to the organization’s data and security.

Mitigation

Preventing and mitigating RAT attacks requires a multi-layered security approach:

1. Anti-Malware Solutions: Employ robust antivirus and anti-malware software to detect and remove RATs before they can cause damage.

2. User Education: Train employees and users to recognize phishing attempts and practice safe online behavior.

3. Patch Management: Regularly update software and operating systems to eliminate vulnerabilities that RATs might exploit.

4. Network Segmentation: Segregate sensitive systems and data to limit lateral movement for attackers.

5. Firewalls and Intrusion Detection Systems (IDS): Utilize these security measures to monitor network traffic for suspicious activities and block unauthorized access.

6. Access Controls: Implement strong authentication methods and least privilege access to reduce the impact of a successful RAT infection.

7. Anomaly Detection: Use behavioral analysis tools to identify unusual activities that could indicate a RAT’s presence.

8. Incident Response Plan: Develop a comprehensive incident response strategy to swiftly detect, contain, and recover from RAT attacks.

Conclusion

The incident following the disclosure of the WinRAR vulnerability (CVE-2023-4047) involved an opportunistic attacker distributing a deceptive Proof of Concept (PoC) on GitHub to exploit the vulnerability. This underscores the critical need to verify PoC authenticity and the ongoing necessity for unwavering cybersecurity vigilance against malicious actors. VenomRAT poses a significant threat to individuals, businesses, and government entities due to its elusive nature and extensive capabilities, making it a favored tool for cybercriminals and state-linked actors. Effective defense against VenomRAT requires a proactive and comprehensive cybersecurity approach, including technical defenses, user education, and robust incident response planning.

__________________________________________________________________________ 

CRITICALSTART® offers a pioneering solution to modern organizational challenges in aligning cyber protection with risk appetite through its Cyber Operations Risk & Response™ platform, award-winning Managed Detection and Response (MDR) services, and a dedicated human-led risk and security team. By providing continuous monitoring, mitigation, maturity assessments, and comprehensive threat intelligence research, they enable businesses to proactively protect critical assets with measurable ROI. Critical Start’s comprehensive approach allows organizations to achieve the highest level of cyber risk reduction for every dollar invested, aligning with their desired levels of risk tolerance.

References

1. https://www.helpnetsecurity.com/2023/09/21/fake-winrar-poc/

2. https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/?web_view=true

3. https://www.swascan.com/venomrat-malware-analysis-remote-access-trojan/