Executive Summary
- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising VenomRAT.
- VenomRAT is a remote access tool discovered by 2020, and it is used by threat actors to control the infected systems remotely.
| Category | Adversary Intelligence |
| Affected Industries | Multiple |
| Affected Region | Global |
| Source* | C2 |
| TLP# | Green |
| Reference | *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Analysis and Attribution
Information from the Post
The threat actor has listed two versions of the RAT, the second version of the RAT includes HVNC (Hidden Virtual Network Connection).- Features of the RAT include:
- Connect with the system remotely.
- Get the system information
- Remote Shell
- TCP Connection
- Reverse Proxy
- Registry Editor
- UAC (User Access Control) Exploit
- Disable WD (Windows Defender)
- Format All Drivers
- Change client name
- Enable install
- Anti kill
- Hide file
- Hide folder
- Persist on the system as startup / persistence
- Change registry name
- Encrypted connection
- Enable keylogger Offline/Online
- HVNC Features, Included all the features of the Venom RAT
- HVNC Clone Profile
- Hidden Desktop
- Hidden Browsers
- Support WebGL
- Hidden Chrome, Firefox, Edge, Brave
- Hidden Explorer
- Hidden Powershell
- Hidden Startup
- Reverse Connection
- Remote Download+ Execute
Source Rating
- The threat actor joined in October 2021 and has a deposit on the forum 0.010092 BTC.
- The main activity of the threat actor is related to advertising for VenomRAT.
- The reliability of the actor can be rated Fairly reliable (C).
- The credibility of the advertisement can be rated Probably true (2).
- Giving overall source credibility of C2.
Impact & Mitigation
| Impact | Mitigation |
|
|