ReverseRAT 2.0 Uses Nightfury Agent to Target New Victims


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
ReverseRAT, a remote access trojan used in major attack projects targeting organizations in South and Central Asia, has received prominent modifications in its capabilities. Called by Black Lotus researchers as ReverseRAT 2.0, the new variant is being used alongside a new agent called NightFury.

ReverseRAT 2.0 shows more intrusive capabilities​

According to researchers, ReverseRAT 2.0 differs from its predecessors in three main ways.
  • First, it relies on NightFury instead of AlkaKore, an open-source RAT that was used in the previous iteration.
  • Second, the new variant leverages new functionalities and modified command calls related to creating, listing, and deleting registry keys.
  • Third, ReverseRAT 2.0 adds new capabilities to capture photos via webcams from infected machines and to steal files from USB connections.
  • In addition to these, researchers spotted an updated version of the preBotHta loader file that helps threat actors to bypass antivirus products.

Other key points​

  • The new ReverseRAT 2.0 appears to have targeted organizations in Afghanistan, with a handful in Jordan, India, and Iran.
  • Among the other data collected by the trojan includes MAC address, physical memory on the device, information about the processor, computer name, and IP address.