Artificially Intelligent RevengeHotels Utilize VenomRAT Against Windows Users for Malicious Purposes
In recent months, the financially motivated threat group RevengeHotels has escalated its operations against hospitality organizations, particularly those in Brazil and Spanish-speaking markets in Latin America.
The group, which has been active since 2015, is known for its targeted attacks on hotel front-desk systems. Initially, they deployed bespoke RAT families such as RevengeRAT and NanoCoreRAT via phishing emails. However, their latest campaigns pivot on delivering VenomRAT implants through dynamically generated JavaScript loaders and PowerShell downloaders.
The infection chain's success hinges on the initial JavaScript loader's ability to orchestrate multi-stage payload delivery while blending AI-generated clarity with manual obfuscation. Upon execution, the loader decodes an obfuscated buffer and writes a PowerShell file with a timestamped filename, ensuring each sample remains unique and evades signature-based detections.
Securelist researchers identified that the loader employs a simple deobfuscation routine to decode and invoke the implant without ever writing the final executable to disk. The phishing email's user clicks the malicious link, causing the victim's browser to fetch a WScript JS file—for instance, Fat146571.js—which immediately decodes an embedded blob.
VenomRAT, the implant built by RevengeHotels, builds upon the open-source QuasarRAT codebase, augmenting it with hidden desktop (HVNC), file-stealing modules, and UAC bypass primitives. Configuration data in VenomRAT is encrypted with AES-CBC and authenticated via HMAC-SHA256, using distinct keys for decryption and integrity verification.
Networking routines in VenomRAT serialize action-specific packets, compress them with LZMA, and encrypt with AES-128 before transmission to the command-and-control server. This segment of the initial JavaScript loader exemplifies the AI's role in producing clean, maintainable code that nonetheless performs malicious actions.
By avoiding persistent artifacts, the initial JavaScript loader evades conventional antivirus and forensic tools. Through this blend of AI-driven scripting and advanced RAT capabilities, RevengeHotels continues to refine its arsenal against Windows environments, posing a growing challenge to cybersecurity defenders.
As of now, there is no specific information available about the group behind RevengeHotels. However, their integration of large language model-generated code into their infection chain marks a significant evolution in the threat landscape, underscoring the need for continuous vigilance and adaptation in cybersecurity defences.
