New RevengeHotels attack targets Windows with VenomRAT

Attacks involving artificial intelligence-based loader scripts and JavaScript and PowerShell downloaders have been launched by the RevengeHotels hacking operation, also known as TA558, to compromise Windows systems with the VenomRAT malware, according to GBHackers News. RevengeHotels targeted hotel reservation and human resources email accounts with overdue invoice or job application lures that included links redirecting to fraudulent document storage portals, a report from Kaspersky showed. Visiting such sites triggers the automated download of an AI-generated WScript JS file, which creates a PowerShell file enabling the eventual execution of VenomRAT. Aside from strengthening its process security descriptor through an EnableProtection call, VenomRAT also directly ends debuggers, forensic systems, and other security-related tools through a monitoring thread that inspects running processes every 50 milliseconds. VenomRAT, which also produces a VBS script to ensure persistence while elevating to SeDebugPrivilege on systems with admin privileges, also enables distribution via removable media and deletes Windows event logs to conceal nefarious activity.