RevengeHotels, also known as TA558, has escalated its long-standing cybercrime campaign by incorporating artificial intelligence into its infection chains, deploying the potent VenomRAT malware against Windows users.
Active since 2015, this threat actor has traditionally targeted hotel guests and travelers, stealing payment card data through phishing emails.
Recent campaigns, however, demonstrate a marked shift: AI-generated loader scripts and modular JavaScript and PowerShell downloaders now facilitate the delivery of VenomRAT implants that offer enhanced stealth, persistence, and control.
The latest wave of attacks begins with tailored phishing emails themed around overdue invoices or fraudulent job applications sent to hotel reservation and HR addresses.
Recipients who click the embedded link are redirected to attacker-controlled web pages mimicking document storage portals.
These sites automatically download a WScript JS file—named in the format Fat{NUMBER}.js—into the victim’s temporary folder.
Analysis reveals these loader scripts are strikingly well-commented and modular, suggesting they were generated by large language models.
Unlike past samples, which relied on heavy obfuscation, these AI-generated scripts are cleanly structured, include placeholders for dynamic variables, and feature descriptive commentary for every function.
Once executed, the loader decodes and writes a PowerShell file—SGDoHBZQWpLKXCAoTHWdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1—to the system before invoking it in memory thrice, a process designed to evade detection.
VenomRAT Delivery and Execution
The PowerShell downloader fetches two Base64-encoded files: venumentrada.txt (the entry loader) and runpe.txt (the in-memory execution stub).
Venumentrada.txt reconstructs a heavily obfuscated in-memory loader, which then executes the VenomRAT implant directly without writing the payload to disk.
VenomRAT, an advanced fork of the open-source QuasarRAT leaked in 2020, offers capabilities such as hidden VNC (HVNC), reverse proxy, file grabbing, UAC exploitation, and robust encryption routines (AES-128 with HMAC-SHA256 verification).
Upon launch, VenomRAT calls EnableProtection to harden its process security descriptor, removing DACL entries that could permit termination.
Simultaneously, a monitoring thread iterates every 50 milliseconds to identify and instantly kill security-related processes—such as debuggers, .NET analyzers, and forensic tools—furthering its anti-kill resilience.
To preserve persistence, VenomRAT generates a VBS script that populates HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce and loops to re-launch the RAT if terminated.
On systems with administrative privileges, it elevates to SeDebugPrivilege and marks itself as a critical process, thwarting user-initiated termination attempts.
VenomRAT establishes a robust communication channel with its command-and-control servers.
Outbound packets undergo serialization, LZMA compression, and AES-128 encryption before transmission.
Inbound commands are decrypted and decompressed in reverse. To bypass network restrictions, the RAT installs and configures ngrok tunnels, allowing remote desktop protocols—RDP and VNC—to traverse firewalls under legitimate-looking subdomains.
VenomRAT also propagates via removable media by copying itself as “My Pictures.exe” to any detected USB drive.
It removes Zone.Identifier streams from its executable, preventing Mark-of-the-Web defenses, and clears Windows event logs to erase forensic trails, granting attackers a near-complete forensic blackout.
Targeting and Outlook
RevengeHotels’ latest operations concentrate on Brazilian hotels but have expanded into Spanish-speaking markets, with phishing emails crafted in Spanish to target venues in Mexico, Chile, and Argentina.
Portuguese-themed domain names hosting payloads rotate frequently, complicating blacklisting efforts. The consistent use of invoice and HR lures, AI-generated loader scripts, and advanced RAT implants underscores RevengeHotels’ evolving capabilities.
Organizations in the hospitality sector should heighten phishing awareness, deploy behavior-based detection tools, and enforce strict script-blocking policies.
Endpoint solutions must inspect in-memory execution and monitor for unauthorized ngrok processes.
As AI continues to lower the barrier for malware development, threat actors like RevengeHotels will refine and accelerate their TTPs, making proactive defense and rapid incident response ever more critical.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
