What Is The Venom RAT? A Detailed Explanation of this remote access tool

Executive Summary

• CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising VenomRAT.
• VenomRAT is a remote access tool discovered by 2020, and it is used by threat actors to control the infected systems remotely.

Analysis and Attribution

Information from the Post

The threat actor has listed two versions of the RAT, the second version of the RAT includes HVNC (Hidden Virtual Network Connection).

1. Features of the RAT include:

• Connect with the system remotely.
• Get the system information  
• Remote Shell 
• TCP Connection
• Reverse Proxy
• Registry Editor 
• UAC (User Access Control) Exploit
• Disable WD (Windows Defender)
• Format All Drivers
• Change client name
• Enable install 
• Anti kill
• Hide file 
• Hide folder 
• Persist on the system as startup / persistence 
• Change registry name 
• Encrypted connection
• Enable keylogger Offline/Online

2. VenomRAT with HVNC

• HVNC Features, Included all the features of the Venom RAT
• HVNC Clone Profile
• Hidden Desktop
• Hidden Browsers
• Support WebGL
• Hidden Chrome, Firefox, Edge, Brave
• Hidden Explorer
• Hidden Powershell
• Hidden Startup
• Reverse Connection
• Remote Download+ Execute

This RAT was discovered by 2020, and based on open-source research this RAT is built on top of QuasarRAT which is an open-source legit tool used as a Remote Access Tool.

Source Rating

• The threat actor joined in October 2021 and has a deposit on the forum 0.010092 BTC.
• The main activity of the threat actor is related to advertising for VenomRAT.

Hence,

• The reliability of the actor can be rated Fairly reliable (C).
• The credibility of the advertisement can be rated Probably true (2).
• Giving overall source credibility of C2.

Impact & Mitigation