SYMBOLCOMMON_NAMEaka. SYNONYMS
win.webmonitor (Back to overview)

WebMonitor RAT

aka: RevCode
URLhaus        

On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.'
Unit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.

References
2020-11-16Trend MicroTrendmicro
@online{trendmicro:20201116:malicious:b459c3f, author = {Trendmicro}, title = {{Malicious Actors Target Comm Apps such as Zoom, Slack, Discord}}, date = {2020-11-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord}, language = {English}, urldate = {2020-11-19} } Malicious Actors Target Comm Apps such as Zoom, Slack, Discord
WebMonitor RAT
2020-09-04KrabsOnSecurityMr. Krabs
@online{krabs:20200904:bitrat:bd0d3cd, author = {Mr. Krabs}, title = {{BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked}}, date = {2020-09-04}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/}, language = {English}, urldate = {2020-09-05} } BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked
BitRAT WebMonitor RAT
2020-02-04RevCode
@online{revcode:20200204:revcode:bb6d2b3, author = {RevCode}, title = {{RevCode RAT}}, date = {2020-02-04}, url = {https://revcode.se/product/webmonitor/}, language = {English}, urldate = {2020-02-07} } RevCode RAT
WebMonitor RAT
2019-04-22KrebsOnSecurityBrian Krebs
@online{krebs:20190422:whos:2004970, author = {Brian Krebs}, title = {{Who’s Behind the RevCode WebMonitor RAT?}}, date = {2019-04-22}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/}, language = {English}, urldate = {2020-01-13} } Who’s Behind the RevCode WebMonitor RAT?
WebMonitor RAT
2018-04-13Palo Alto Networks Unit 42Mike Harbison, Simon Conant
@online{harbison:20180413:say:920b109, author = {Mike Harbison and Simon Conant}, title = {{Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)}}, date = {2018-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/}, language = {English}, urldate = {2019-12-20} } Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)
WebMonitor RAT
Yara Rules
[TLP:WHITE] win_webmonitor_auto (20220411 | Detects win.webmonitor.)
rule win_webmonitor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.webmonitor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6c 68ff080800 8a3401 a3???????? 0800 8a30 019ef5000000 }
            // n = 7, score = 200
            //   6c                   | insb                byte ptr es:[edi], dx
            //   68ff080800           | push                0x808ff
            //   8a3401               | mov                 dh, byte ptr [ecx + eax]
            //   a3????????           |                     
            //   0800                 | or                  byte ptr [eax], al
            //   8a30                 | mov                 dh, byte ptr [eax]
            //   019ef5000000         | add                 dword ptr [esi + 0xf5], ebx

        $sequence_1 = { ec fe04ec fe05???????? 000d???????? 04c8 fe04ec fd }
            // n = 7, score = 200
            //   ec                   | in                  al, dx
            //   fe04ec               | inc                 byte ptr [esp + ebp*8]
            //   fe05????????         |                     
            //   000d????????         |                     
            //   04c8                 | add                 al, 0xc8
            //   fe04ec               | inc                 byte ptr [esp + ebp*8]
            //   fd                   | std                 

        $sequence_2 = { 04b8 fe04f4 fd 04f0 fd ff01 04f0 }
            // n = 7, score = 200
            //   04b8                 | add                 al, 0xb8
            //   fe04f4               | inc                 byte ptr [esp + esi*8]
            //   fd                   | std                 
            //   04f0                 | add                 al, 0xf0
            //   fd                   | std                 
            //   ff01                 | inc                 dword ptr [ecx]
            //   04f0                 | add                 al, 0xf0

        $sequence_3 = { 44 8a4100 047e 41 00f8 384200 }
            // n = 6, score = 200
            //   44                   | inc                 esp
            //   8a4100               | mov                 al, byte ptr [ecx]
            //   047e                 | add                 al, 0x7e
            //   41                   | inc                 ecx
            //   00f8                 | add                 al, bh
            //   384200               | cmp                 byte ptr [edx], al

        $sequence_4 = { 009c934200d4bd 41 008ce741008485 41 00baa4f34100 b9???????? ffe1 }
            // n = 7, score = 200
            //   009c934200d4bd       | add                 byte ptr [ebx + edx*4 - 0x422bffbe], bl
            //   41                   | inc                 ecx
            //   008ce741008485       | add                 byte ptr [edi - 0x7a7bffbf], cl
            //   41                   | inc                 ecx
            //   00baa4f34100         | add                 byte ptr [edx + 0x41f3a4], bh
            //   b9????????           |                     
            //   ffe1                 | jmp                 ecx

        $sequence_5 = { 00dc 7442 000477 42 0028 }
            // n = 5, score = 200
            //   00dc                 | add                 ah, bl
            //   7442                 | je                  0x44
            //   000477               | add                 byte ptr [edi + esi*2], al
            //   42                   | inc                 edx
            //   0028                 | add                 byte ptr [eax], ch

        $sequence_6 = { a3???????? 30ff 9e 0808 008a30019ef5 0000 }
            // n = 6, score = 200
            //   a3????????           |                     
            //   30ff                 | xor                 bh, bh
            //   9e                   | sahf                
            //   0808                 | or                  byte ptr [eax], cl
            //   008a30019ef5         | add                 byte ptr [edx - 0xa61fed0], cl
            //   0000                 | add                 byte ptr [eax], al

        $sequence_7 = { 42 00a06a4200f8 b642 009c934200d4bd }
            // n = 4, score = 200
            //   42                   | inc                 edx
            //   00a06a4200f8         | add                 byte ptr [eax - 0x7ffbd96], ah
            //   b642                 | mov                 dh, 0x42
            //   009c934200d4bd       | add                 byte ptr [ebx + edx*4 - 0x422bffbe], bl

        $sequence_8 = { 00e8 dd7000 008bf98b5d1c 8d4de4 }
            // n = 4, score = 100
            //   00e8                 | add                 al, ch
            //   dd7000               | fnsave              dword ptr [eax]
            //   008bf98b5d1c         | add                 byte ptr [ebx + 0x1c5d8bf9], cl
            //   8d4de4               | lea                 ecx, dword ptr [ebp - 0x1c]

        $sequence_9 = { 0108 eb5a 8b4508 83ceff }
            // n = 4, score = 100
            //   0108                 | add                 dword ptr [eax], ecx
            //   eb5a                 | jmp                 0x5c
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83ceff               | or                  esi, 0xffffffff

        $sequence_10 = { 0108 8b442410 891e 894604 }
            // n = 4, score = 100
            //   0108                 | add                 dword ptr [eax], ecx
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   891e                 | mov                 dword ptr [esi], ebx
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_11 = { 00d1 6848004069 48 00d1 }
            // n = 4, score = 100
            //   00d1                 | add                 cl, dl
            //   6848004069           | push                0x69400048
            //   48                   | dec                 eax
            //   00d1                 | add                 cl, dl

        $sequence_12 = { 00e8 f61c00 008bd9895df0 8b451c }
            // n = 4, score = 100
            //   00e8                 | add                 al, ch
            //   f61c00               | neg                 byte ptr [eax + eax]
            //   008bd9895df0         | add                 byte ptr [ebx - 0xfa27627], cl
            //   8b451c               | mov                 eax, dword ptr [ebp + 0x1c]

        $sequence_13 = { 000f b681 fc b84500ff24 }
            // n = 4, score = 100
            //   000f                 | add                 byte ptr [edi], cl
            //   b681                 | mov                 dh, 0x81
            //   fc                   | cld                 
            //   b84500ff24           | mov                 eax, 0x24ff0045

        $sequence_14 = { 00d1 6848007269 48 00856948008b }
            // n = 4, score = 100
            //   00d1                 | add                 cl, dl
            //   6848007269           | push                0x69720048
            //   48                   | dec                 eax
            //   00856948008b         | add                 byte ptr [ebp - 0x74ffb797], al

        $sequence_15 = { 00856948008b ff558b ec 83ec0c }
            // n = 4, score = 100
            //   00856948008b         | add                 byte ptr [ebp - 0x74ffb797], al
            //   ff558b               | call                dword ptr [ebp - 0x75]
            //   ec                   | in                  al, dx
            //   83ec0c               | sub                 esp, 0xc

    condition:
        7 of them and filesize < 1867776
}
[TLP:WHITE] win_webmonitor_w0   (20200304 | Revcode RAT)
rule win_webmonitor_w0 {
    meta:
        description = "Revcode RAT"
        author = "James_inthe_box"
        reference = "ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8"
        date = "2020/02"
        maltype = "RAT"
        source = "https://pastebin.com/M2k5Vg3c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor"
        malpedia_version = "20200304"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $string1 = "SCREEN_STREAM_START"
        $string2 = "CLIPBOARD_SET"
        $string3 = "SERVICES_RESUME"
        $string4 = "KEYLOG:"
        $string5 = "WEBCAM_DRIVERS"
        $string6 = "image.bmp" wide
        $string7 = "APPACTIVATE" wide
 
    condition:
        all of ($string*)
}
Download all Yara Rules