Venom RAT is a remote access tool that targets Windows operating systems and allows attackers to gain full access and remote control of victim machines. It is usually distributed as a malicious attachment in spam mails, malvertising, and other social engineering techniques. The primary purpose of this RAT is to steal and exfiltrate information to a command and control server.

Venom RAT provides the following capabilities:

  • Extract data from browsers, including browser cookies, credit card details, autofills, and passwords.
  • Collect system information.
  • Exfiltrate data from a victim endpoint to a command and control server.
  • Record keystrokes on the victim endpoint.
  • Record videos and audio using the endpoint’s webcam and microphone.

In this blog post, we use Wazuh to detect the malicious activities of Venom RAT.

Venom RAT behavior

When Venom RAT is executed on an endpoint, it exhibits the following behaviors:

  • Venom RAT drops a copy of itself in C:\Users\<USERNAME>\AppData\Roaming\ with the filename svchost.exe to masquerade as a legitimate file. 
  • Venom RAT creates a registry key in  \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ for the created svchost.exe file to ensure it runs anytime the victim endpoint is restarted.
  • Venom RAT injects itself into multiple .dll files. 
  • Venom RAT creates .tmp and .tmp.bat files in C:\Users\<USERNAME>\AppData\Local\Temp\
  • Venom RAT executes the created .tmp.bat file. 
  • Venom RAT uses cmd.exe to delete the created .tmp.bat file.

Infrastructure

To demonstrate the detection of Venom RAT with Wazuh, we use the following infrastructure.

1. A pre-built ready-to-use Wazuh OVA 4.4.0. Follow this guide to download the virtual machine.

2. A Windows 10 victim endpoint with Wazuh agent 4.4.0 installed. To install the Wazuh agent, refer to the following installation guide.

Detection with Wazuh

In this blog post, we use Sysmon integration with Wazuh to detect Venom RAT behavior on the victim endpoint.

Windows endpoint

Perform the following steps to configure the Wazuh agent to capture enriched logs with Sysmon and send them to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Download the Sysmon configuration file – sysmonconfig.xml

3. Install Sysmon with the downloaded configuration file using PowerShell with Administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

4. Add the following configuration to the  C:\Program Files (x86)\ossec-agent\ossec.conf file within the <ossec_config> block to capture and forward Sysmon event logs to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

5. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect Venom RAT behavior on the endpoint. 

1. Add the rules below to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="venom_rat,syscheck">

  <!-- Rogue svchost.exe creation -->
  <rule id="100950" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\Users\\.+\\AppData\\Roaming\\svchost\.exe</field>
    <description>Potential Venom RAT activity detected: svchost.exe created at $(win.eventdata.targetFilename) by $(win.eventdata.image).</description>
    <mitre>
      <id>T1036</id>
    </mitre>
  </rule>

  <!-- Registry key creation for persistence -->
  <rule id="100951" level="12">
    <if_sid>92300</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[c-z]:(\\Users\\.+\\)</field>
    <field name="win.eventdata.details" type="pcre2">(?i)[c-z]:\\Users\\.+\\AppData\\Roaming\\svchost\.exe</field>
    <description>Potential Venom RAT activity detected:  $(win.eventdata.details) added itself to the Registry as a startup program to establish persistence.</description>
    <mitre>
      <id>T1547.001</id>
    </mitre>
  </rule>

<!-- Suspicious .tmp.bat file creation -->
  <rule id="100952" level="12">
    <if_sid>92204</if_sid>
    <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\Users\\.+\\AppData\\Local\\Temp\\.+\.tmp\.bat</field>
    <description>Potential Venom RAT activity detected: Suspicious .tmp.bat file $(win.eventdata.targetFilename) added to Temp folder by $(win.eventdata.image).</description>
    <mitre>
      <id>T1059</id>
    </mitre>
  </rule>

<!-- Suspicious .tmp.bat file run in command line-->
  <rule id="100953" level="15">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.parentImage" type="pcre2">(?i)cmd\.exe</field>
    <field name="win.eventdata.parentCommandLine" type="pcre2">(?i)\s\/C\s.*\.tmp\.bat</field>
    <description>Venom RAT activity detected: Suspicious .tmp.bat file executed by cmd.</description>
    <mitre>
      <id>T1087</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

</group>

Where

  • Rule ID 100950 detects when Venom RAT creates a malicious svchost.exe file in the C:\Users\<USERNAME>\AppData\Roaming\ folder.
  • Rule ID 100951 detects when Venom RAT sets the malicious copy of svchost.exe as a registry run key. 
  • Rule ID 100952 detects when Venom RAT creates a .bat.tmp file in the C:\Users\<USERNAME>\AppData\Local\Temp\ folder.
  • Rule ID 100953 detects when a .bat.tmp file is executed by cmd.exe.

2. Restart the Wazuh manager to apply the configuration changes:

# systemctl restart wazuh-manager

Detection Results

Below is the screenshot of the alerts generated on the Wazuh dashboard when the Venom RAT is executed on the victim endpoint.

venom rat detection

Conclusion

In this blog post, we demonstrated how to detect Venom RAT activities with Wazuh. We utilized Sysmon to enrich logs from the victim endpoint and created rules to detect malicious activities associated with Venom RAT.

References