Listen to this Post
2024-12-05
Cybercriminals behind the notorious More_Eggs malware are evolving their tactics, incorporating two new malware families into their arsenal. This expansion signifies a growing threat landscape as cybercriminals operating the Malware-as-a-Service (MaaS) platform, Venom Spider (aka Golden Chickens), continuously refine their tools.
New Tools for Old Tricks:
The newly discovered components include:
RevC2: A novel information-stealing backdoor capable of pilfering cookies, passwords, and even acting as a proxy for network traffic. It utilizes WebSockets to communicate discreetly with its command-and-control server. Additionally, RevC2 boasts remote code execution (RCE) capabilities, granting attackers complete control over infected machines.
Venom Loader: A customized downloader that leverages the
VenomLNK: The Initial Access Point:
Both RevC2 and Venom Loader are deployed through VenomLNK, a familiar tool used by Venom Spider. This malicious link often masquerades as a harmless image file, tricking users into clicking and triggering the infection sequence.
Campaign Observations:
Security researchers observed these new malware families in operation between August and October 2024. While the exact distribution methods remain under investigation, one campaign involved VenomLNK displaying a decoy image before launching RevC2.
RevC2’s Malicious Capabilities:
Once deployed, RevC2 becomes a formidable threat. Its capabilities include:
Stealing passwords and cookies stored in Chromium browsers.
Executing arbitrary system commands, granting attackers control over the infected device.
Capturing screenshots, providing visual intelligence for attackers.
Functioning as a SOCKS5 proxy, allowing attackers to anonymize their network traffic.
Executing commands with elevated privileges, enabling them to escalate their control on the system.
Venom Loader and the More_Eggs Connection:
Another campaign leveraged VenomLNK to deliver a decoy image and simultaneously deploy Venom Loader. This loader then unleashed a lightweight variant of the More_Eggs backdoor, known as More_Eggs lite. This version focuses solely on RCE capabilities, allowing attackers to remotely execute commands on the infected system.
What Undercode Says:
These findings paint a concerning picture. Despite the apprehension of two individuals linked to Venom Spider last year, the malware authors continue to innovate and expand their arsenal. This highlights the persistent threat posed by MaaS platforms and the need for robust cybersecurity measures.
Here are some key takeaways:
Evolving Threat Landscape: The of RevC2 and Venom Loader demonstrates the continuous development of cybercrime tools.
Stealthy Attacks: Techniques like VenomLNK’s decoy image and Venom Loader’s customized encryption showcase the emphasis on evading detection.
Multifaceted Malware:
Adaptability is Key: The More_Eggs lite variant highlights the ability of cybercriminals to tailor their tools for specific goals.
Staying Secure:
Organizations and individuals can mitigate these threats by:
Implementing robust endpoint security solutions that can detect and block malicious activity.
Educating users to identify and avoid phishing attempts, including recognizing deceptive links and attachments.
Maintaining updated software to address vulnerabilities that attackers can exploit.
Regularly backing up critical data to ensure its recovery in case of a cyberattack.
By staying vigilant and implementing these measures, we can better defend ourselves against the evolving tactics of cybercriminals like Venom Spider.
References:
Reported By: Thehackernews.com
https://www.quora.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
