A new version of the Venom remote access trojan (RAT) with increased functionality was found by cybersecurity researchers at the Cyble Research and Intelligence Labs (CRIL). The latest version of Venom RAT comes with a stealer module that pilfers sensitive information and transfers the stolen data from the victim’s machine to its C&C server.
RATS allows hackers to gain unauthorized access to the system’s network resources and renders remote control of the system including the mouse and keyboard. It can also steal credit card details including the name on the card, number, and expiry details. It uses Amex, Mastercard, Visa, and similar terms to identify card details.
The Stealer module of Venom RAT
Venom RAT when launched on targeted systems can steal and exfiltrate sensitive information to the hacker’s command and control server. It can hack into Windows clipboard to steal the copied information and access login credentials having clipper and grabber capabilities. It can also launch additional malware and has command over the following data:
- Password
- History
- Autofill data
- Bookmarks
- Cookies
The sample hash found by Cyble – (SHA256), 4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7
It was a 32-bit executable file made with microsoft visual C/C++ compiler as shown below:
(Source: CRIL)
Loading the Venom RAT
- Execution of newFile.exe that drops into the root %appdata% location.
- It takes the filename “svchost.exe” which makes it seem like a legitimate file.
- Creation of a task-scheduler entry for persistence by executing schtasks /create /f /sc onlogon /rl highest /tn “svchost” /tr ‘”C:\Users\<Admin>\AppData\Roaming\svchost.exe”‘ This command line makes the malware run every time the victim logs in.
- Run a BAT file named tmp61C0.tmp.bat in the %temp% folder that executes svchost.exe that deletes itself.
- exe decrypts and loads a new module titled client.exe in memory which is a .NET compiled Venom RAT.
- Loading of other modules including recovery, keylogger, sendmemory, and extra to extend its stealing capabilities.
What assists the new version of Venom RAT to have stealing capabilities?
The newest version of Venom RAT is aided by the recovery module that helps it steal data from over 20 browsers including:
- Chromium
- Opera
- Comodo
- 360browser
- Dragon
- 7Star
The functions such as DetectBankingServices(), DetectPornServices(), and DetectCryptocurrencyServices() are employed to access domain names based on categories including porn, cryptocurrency, and banking. It looks for the domain names in files such as bookmarks, history, downloads, and cookies.
Stealer functions of Venom RAT
To send the stolen data to the command-and-control server, Venom writes it in JSON format.
The selling price of Venom RAT mentioned on its website endorsement
- Venom RAT with HVNC and stealer for one month is sold for $350
- Venom RAT with other combination of functionalities for 3 months is sold for $150
- Bulletproof windows RDP/ VPS for one month is sold for $199.99
Moreover, it lists several benefits such as confidentiality, high availability, speed, reliability, assured protection firewall blocks, anonymity, and offshore data centers.
