Venom RAT detection with Wazuh
Venom RAT is a remote access tool that targets Windows operating systems and allows attackers to gain full access and remote control of victim machines. It is usually distributed as a malicious attachment in spam mails, malvertising, and other social engineering techniques. The primary purpose of this RAT is to steal and exfiltrate information to a command and control server.
Venom RAT provides the following capabilities:
- Extract data from browsers, including browser cookies, credit card details, autofills, and passwords.
- Collect system information.
- Exfiltrate data from a victim endpoint to a command and control server.
- Record keystrokes on the victim endpoint.
- Record videos and audio using the endpoint’s webcam and microphone.
In this blog post, we use Wazuh to detect the malicious activities of Venom RAT.
Venom RAT behavior
When Venom RAT is executed on an endpoint, it exhibits the following behaviors:
- Venom RAT drops a copy of itself in
C:\Users\<USERNAME>\AppData\Roaming\with the filenamesvchost.exeto masquerade as a legitimate file. - Venom RAT creates a registry key in
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\for the createdsvchost.exefile to ensure it runs anytime the victim endpoint is restarted. - Venom RAT injects itself into multiple
.dllfiles. - Venom RAT creates
.tmpand.tmp.batfiles inC:\Users\<USERNAME>\AppData\Local\Temp\. - Venom RAT executes the created
.tmp.batfile. - Venom RAT uses
cmd.exeto delete the created.tmp.batfile.
Infrastructure
To demonstrate the detection of Venom RAT with Wazuh, we use the following infrastructure.
1. A pre-built ready-to-use Wazuh OVA 4.4.0. Follow this guide to download the virtual machine.
2. A Windows 10 victim endpoint with Wazuh agent 4.4.0 installed. To install the Wazuh agent, refer to the following installation guide.
Detection with Wazuh
In this blog post, we use Sysmon integration with Wazuh to detect Venom RAT behavior on the victim endpoint.
Windows endpoint
Perform the following steps to configure the Wazuh agent to capture enriched logs with Sysmon and send them to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Download the Sysmon configuration file – sysmonconfig.xml.
3. Install Sysmon with the downloaded configuration file using PowerShell with Administrator privileges:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
4. Add the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file within the <ossec_config> block to capture and forward Sysmon event logs to the Wazuh server:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
5. Restart the Wazuh agent to apply the configuration changes:
> Restart-Service -Name wazuh
Wazuh server
In this section, we create rules to detect Venom RAT behavior on the endpoint.
1. Add the rules below to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:
<group name="venom_rat,syscheck">
<!-- Rogue svchost.exe creation -->
<rule id="100950" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Roaming\\\\svchost\.exe</field>
<description>Potential Venom RAT activity detected: svchost.exe created at $(win.eventdata.targetFilename) by $(win.eventdata.image).</description>
<mitre>
<id>T1036</id>
</mitre>
</rule>
<!-- Registry key creation for persistence -->
<rule id="100951" level="12">
<if_sid>92300</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[c-z]:(\\\\Users\\\\.+\\\\)</field>
<field name="win.eventdata.details" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Roaming\\\\svchost\.exe</field>
<description>Potential Venom RAT activity detected: $(win.eventdata.details) added itself to the Registry as a startup program to establish persistence.</description>
<mitre>
<id>T1547.001</id>
</mitre>
</rule>
<!-- Suspicious .tmp.bat file creation -->
<rule id="100952" level="12">
<if_sid>92204</if_sid>
<field name="win.eventdata.image" type="pcre2">\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.tmp\.bat</field>
<description>Potential Venom RAT activity detected: Suspicious .tmp.bat file $(win.eventdata.targetFilename) added to Temp folder by $(win.eventdata.image).</description>
<mitre>
<id>T1059</id>
</mitre>
</rule>
<!-- Suspicious .tmp.bat file run in command line-->
<rule id="100953" level="15">
<if_sid>61603</if_sid>
<field name="win.eventdata.parentImage" type="pcre2">(?i)cmd\.exe</field>
<field name="win.eventdata.parentCommandLine" type="pcre2">(?i)\s\/C\s.*\.tmp\.bat</field>
<description>Venom RAT activity detected: Suspicious .tmp.bat file executed by cmd.</description>
<mitre>
<id>T1087</id>
<id>T1059.003</id>
</mitre>
</rule>
</group>
Where
- Rule ID
100950detects when Venom RAT creates a malicioussvchost.exefile in theC:\Users\<USERNAME>\AppData\Roaming\folder. - Rule ID
100951detects when Venom RAT sets the malicious copy ofsvchost.exeas a registry run key. - Rule ID
100952detects when Venom RAT creates a.bat.tmpfile in theC:\Users\<USERNAME>\AppData\Local\Temp\folder. - Rule ID
100953detects when a.bat.tmpfile is executed bycmd.exe.
2. Restart the Wazuh manager to apply the configuration changes:
# systemctl restart wazuh-manager
Detection Results
Below is the screenshot of the alerts generated on the Wazuh dashboard when the Venom RAT is executed on the victim endpoint.
Conclusion
In this blog post, we demonstrated how to detect Venom RAT activities with Wazuh. We utilized Sysmon to enrich logs from the victim endpoint and created rules to detect malicious activities associated with Venom RAT.