Double Vision: Stealthy Malware Dropper Delivers Dual RATs

wsh rat revenge rat double threat

A lengthy, multi-stage infection process leads to a duo of payloads, bent on stealing data.

A newly discovered initial-stage malware dropper has been discovered sneaking by antivirus products, with the ultimate goal of delivering a double-pronged whammy of RevengeRAT and WSH RAT payloads onto targeted Windows machines.

A FortiGuard Labs team recently captured a sample file that had been flagged as suspicious, but which had a notably low detection rate in VirusTotal. After putting the code through manual analysis, it turns out that the file was designed to drop the duo of remote access trojans (RATs) via a multi-stage infection process.

A Multistage Unfurling

The sample starts its process with a JavaScript code in a text editor, containing URL-encoded data.

“Once it’s decoded, we were able to uncover VBScript [Visual Basic Script] code,” explained Chris Navarrete and Xiaopeng Zhang, in an analysis posted Wednesday. “The author of this malware used simple character replacement when calling the ‘Chr()’ function in an attempt to hide the actual strings.”

The VBScript code creates a new Shell.Application object to call the ShellExecute() function, which eventually generates a new file with the hardcoded filename of “A6p.vbs.” The purpose of the A6p.vbs file in turn is to fetch an additional VBScript, “Microsoft.vbs,” from a remote server.

“Once this [Microsoft.vbs] code is executed, it creates a new WScript.Shell object and collects OS environment and hardcoded data, which will eventually end in running [a fourth] newly created script (GXxdZDvzyH.vbs) by calling the VBScript interpreter with the ‘//B’ parameter,” according to the analysis. “This enables batch mode and disables any potential warnings or alerts that can occur during execution.”

During the execution of GXxdZDvzyH.vbs, it uses various composed PowerShell commands from the command line, to [bypass built-in Windows policy that prevents automatic execution of PowerShell scripts],” according to the researchers. Eventually, it runs the RevengeRat payload.


After being executed, RevengeRat, a commodity malware family that has been used by the likes of advanced threat group APT33 in the past, connects to two command-and-control (C2) servers and proceeds to collect and exfiltrate information from the victim’s system. The data is encapsulated into a packet that consists of several parts, which are: magic string command, data fields corresponding to the command, a separator to split each data in a packet and end magic string.

The sent packet contains system-fingerprinting information, split into 15 blocks by the separator, with most of them being base64-encoded. The blocks include: The IP address of victim’s machine; the victim’s machine name and user name; whether or not the victim has a webcam; Windows system information; CPU information; total capacity of victim’s physical memory; the type of antivirus and firewall products that are installed; the title of top-most window on the screen and the language used on victim machine.

RevengeRat has other tricks as well – in a .Net piece of code researchers found a thread function called “,” which is in charge of handling all received C2 commands.

“Analyzing this function, we found several command magic strings,” the researchers wrote, the most notable of which are the “P” command, which asks the malware to collect the victim’s top-most window title; and the “IE” and “LP” commands that ask the malware to manipulate the system registry. The “UNV” command packet meanwhile allows an attacker to send malicious assembly language (ASM) code to the malware to be executed in memory, according to the research.

As part of this second-stage infection chain, version 1.6 of WSH RAT is also executed, researchers said.

WSH RAT Scurries onto Machines

WSH RAT was first seen over the summer, used in keylogging attacks against banks. It’s is a near-identical variant of the VBS-based Houdini Worm (H-Worm), which has been around since 2013. H-Worm is versatile, having been used targeted attacks against the international energy industry as well as “spray-and-pray” campaigns using spammed email attachments and malicious links, according to FireEye.

The version of WSH RAT used by the dropper has a total of 29 functions that perform different tasks, ranging from administrative business such as establishing persistency to espionage and data exfiltration.

“This version of WSH RAT focuses on stealing information from popular browsers (i.e., Chrome and Mozilla Firefox), including the newer versions (2.3) by targeting additional software such as FoxMail,” Fortinet researchers said in the analysis.

Some of the 26 commands include: “disconnect”, “reboot”, “shutdown”, “excecute”, “kill-process” and “sleep”.

Once the script is executed, it performs security checks through function calls to verify the current user’s rights, and depending on which ones are used, it will remain as-is or elevate itself to a higher user access level. In addition, a secondary security check is performed to disable the current security context.

The script generates a properly formatted HTTP request that contains information related to the infected computer, and uses the “User-Agent” header as a mechanism to exfiltrate it.  And, to achieve persistency, WSH RAT adds new data into the Windows Registry and also makes a copy of itself in the Windows Startup folder.

The C2 servers that the dropper connects to were offline during the firm’s analysis, but Threatpost has reached out to Fortinet for any details on potential victimology and campaign information.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.



Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.