loader gif

RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure

RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure (Malware and Vulnerabilities)

Palo Alto Networks' Unit 42 discovered that the threat actors behind the campaign dubbed "Aggah" employed the C2 infrastructure built using only legitimate services to drop RevengeRAT (also known as Revetrat) payloads on organizations from "Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, Technology, and other Professional business. "Our analysis of the delivery document revealed it was built to load a malicious macro-enabled document from a remote server via Template Injection," found Unit 42's researchers. Also, "These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[. Lure image used in decoy document The campaign was first detected by Unit 42 on March 27 after the decoy file camouflaged to look like an official document from a financial institution with a "Your account is locked" email subject was sent to entities from a Middle Eastern country.

loader gif