ReverseRAT 2.0 Uses Nightfury Agent to Target New Victims

Source: This article was first published on

ReverseRAT, a remote access trojan used in major attack projects targeting organizations in South and Central Asia, has received prominent modifications in its capabilities. Called by Black Lotus researchers as ReverseRAT 2.0, the new variant is being used alongside a new agent called NightFury.

ReverseRAT 2.0 shows more intrusive capabilities

  • According to researchers, ReverseRAT 2.0 differs from its predecessors in three main ways.
  • First, it relies on NightFury instead of AlkaKore, an open-source RAT that was used in the previous iteration.
  • Second, the new variant leverages new functionalities and modified command calls related to creating, listing, and deleting registry keys.
  • Third, ReverseRAT 2.0 adds new capabilities to capture photos via webcams from infected machines and to steal files from USB connections.
  • In addition to these, researchers spotted an updated version of the preBotHta loader file that helps threat actors to bypass antivirus products.

Other key points

  • The new ReverseRAT 2.0 appears to have targeted organizations in Afghanistan, with a handful in Jordan, India, and Iran.
  • Among the other data collected by the trojan includes MAC address, physical memory on the device, information about the processor, computer name, and IP address.

ReverseRAT continues to stride ahead

  • While ReverseRAT 2.0 is emerging as a new threat, the previous iteration continues to see its prominence in sophisticated campaigns.
  • In a recent investigation, Cisco Talos discovered that the SideCopy cybercriminals had expanded their cyberespionage activities to deploy multiple RATs such as DetaRAT, ReverseRAT, MargulasRAT, and ActionRAT on victims’ computers.
  • In a different incident reported in June, Pakistan-based threat actors had used the ReverseRAT to infect Windows systems in government and energy organizations in the South and Central Asia regions.
  • Apparently, the intrusion had begun in January 2021 and went undetected for around six months.
Also Read:  Victoria launches five-year, AU$50 million cyber strategy

What to expect in the future?

Researchers anticipate more attacks on government and energy organizations in the South and Central Asia regions in the future. Moreover, the discovery of a new NightFury agent used alongside the 2.0 version of ReverseRAT demonstrates the attackers’ rigorous attempt to further evade detection. However, since most of the attacks rely on phishing emails as a part of the initial infection vector, organizations should take proactive measures in detecting such emails.