Research Notes

Tag: Threat Hunting

VenomRAT - new, hackforums grade, reincarnation of QuasarRAT

Intro During routine hunting we stumble upon new Remote Administration Toolkit (RAT), named Venom RAT. Like with many such tools authors are conducting their business under false pretense of providing a tool to remotely manage your own computers. A one can see on a screen-shot above, this tool posses essential capabilities to manage your own computers such as Keyloger Stealer UAC Bypass Password Recovery (sealing) All those for small price of 150$ per month.

On the Royal Road

Intro Royal Road or 8.t is one of the most known RTF weaponizer, its used and shared mostly amongst Chinese speaking actors - there are also couple very good publications including one form nao_sec, Sebdraven and Anomali. It was on my todo list for some time, and thanks to recent twitter discussion as well as quarantine time i finally took a deeper look at it. We’ll go into how to quickly analyze RTF maldocs, quickly tear-down shellcode used and finally how to extract embedded payload.