Photo credit: www.darkreading.com
The notorious cybercriminal group known as “Venom Spider” is reportedly enhancing its malware-as-a-service (MaaS) offerings. This advancement aims to equip users of its platform with more sophisticated tools, as indicated by the recent detection of a new backdoor and loader involved in separate attacks over a span of two months.
Research conducted by Zscaler ThreatLabz revealed that between August and October of this year, two malware variants termed RevC2 and Venom Loader were deployed in coordinated cyberattacks. This intelligence was documented in a blog post published on December 2.
RevC2 utilizes WebSockets for communication with its command-and-control (C2) server, allowing it to exfiltrate sensitive information such as cookies and passwords, proxy network traffic, and execute remote commands. On the other hand, Venom Loader enhances the personalization of attacks by encoding payloads based on the victim’s computer name.
The Venom Spider group is well-known for its MaaS tools, which have been extensively utilized by various cybercriminal networks, including FIN6 and Cobalt. Notably, a recent spear-phishing campaign conducted by FIN6 in October exploited Venom Spider’s platform, introducing a new backdoor called “more_eggs” capable of launching secondary malware payloads.
Emergence of “More_Eggs”
The platform has reportedly evolved once more, with the introduction of two new malware families identified in recent phishing campaigns. The RevC2 backdoor was delivered using a bait tactic involving a lure that featured API documentation.
The attack initiated with a VenomLNK file that contained an obfuscated batch script. When executed, this script downloaded an image from a remote URL disguised as “APFX Media API Documentation.”
RevC2 then performed two checks to confirm specific system conditions were met before executing, ensuring that it was not deployed within analysis or sandbox environments.
Once operational, RevC2 could execute diverse tasks, including C2 communication via a C++ library known as “websocketpp,” extraction of passwords and cookies from Chromium-based browsers, taking screenshots, proxying network activity through the SOCK5 protocol, and commanding user access through stolen credentials.
A subsequent campaign observed from September to October utilized a cryptocurrency lure to deploy Venom Loader, which introduced a JavaScript backdoor known as “More_eggs lite.” This variant was noted for having a more limited set of capabilities compared to its predecessor.
The researchers pointed out that although Venom Loader is a JavaScript-based backdoor, it primarily facilitates remote code execution. Furthermore, a distinctive feature of Venom Loader includes a DLL file that is uniquely crafted for each victim, enabling it to load subsequent stages of the attack.
The loader retrieves its payload from a URL that incorporates the victim’s computer name, employing this variable as an XOR key for encoding its attack stages, ultimately executing the More_eggs lite backdoor, which facilitates remote code execution capabilities for attackers.
Future Developments in MaaS Capabilities
Experts at ThreatLabz suggest that the newly detected malware variations linked to Venom Spider’s MaaS offerings may represent only initial iterations, anticipating further enhancements in functionality and anti-analysis techniques in the near future.
Zscaler’s detection methods included the use of both a sandbox and its cloud security platform, identifying specific malware indicators associated with the observed campaigns: LNK.Downloader.VenomLNK, Win32.Backdoor.RevC2, and Win32.Downloader.VenomLoader.
In an effort to bolster defensive measures, Zscaler has made available a Python script for emulating RevC2’s WebSocket server on its GitHub platform. This resource, along with a comprehensive list of indicators of compromise (IoCs), assists security professionals in verifying the presence of these malware threats within their organizational infrastructures.
Source
www.darkreading.com