Trojan.MSIL.REVENGERAT.BA

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %Application Data%\Microsoft\Windows\Templates\svchost.zip → Deleted afterwards
• %Application Data%\Microsoft\Windows\Templates\explorer.zip → Deleted afterwards

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops and executes the following files:

• %User Temp%\Setup.exe → HIDDEN attribute
• {Malware Path}\smtp-verifier .exe → HIDDEN attribute
• %Application Data%\Microsoft\Windows\Templates\svchost.exe → HIDDEN attribute; Extracted file from svchost.zip
• %Application Data%\Microsoft\Windows\Templates\explorer.exe → HIDDEN attribute; Extracted file from explorer.zip; detected as Backdoor.MSIL.REVENGERAT.BB

It adds the following processes:

• "%User Temp%\Setup.exe"
• "{Malware Path}\smtp-verifier .exe"
• "%Application Data%\Microsoft\Windows\Templates\svchost.exe"
• "%Application Data%\Microsoft\Windows\Templates\explorer.exe"

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Corporation Security = %Application Data%\Microsoft\Windows\Templates\svchost.exe

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• https://{BLOCKED}heap.blogspot.com/
• If C2 above is inaccessible, it connects to the following URL to get another C2:
  • http://{BLOCKED}host.thedreamsop.com/2023/explorer.txt

It saves the files it downloads using the following names:

• It scans for the following tags "" from the C2 content, decodes, and saves the file:
  • %Application Data%\Microsoft\Windows\Templates\explorer.zip

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Trojan does the following:

• It masquerades as an smtp-validator tool.
• The executed file "{Malware Path}\smtp-verifier .exe" displays the following GUI:
  
• The contents of the zip files (svchost.zip and explorer.zip) are extracted using hardcoded passwords.