A recognized risk actor within the malware-as-a-service (MaaS) enterprise often called “Venom Spider” continues to develop capabilities for cybercriminals who use its platform, with a novel backdoor and loader detected in two separate assaults in a current two-month interval.
Researchers at Zscaler ThreatLabz uncovered campaigns between August and October of this 12 months that leveraged a backdoor referred to as referred to as RevC2, in addition to a loader referred to as Venom Loader, in assaults that use recognized MaaS instruments from Venom Spider (aka Golden Chickens), in line with a weblog submit printed Dec. 2.
RevC2 makes use of WebSockets to speak with its command-and-control (C2) server and may steal cookies and passwords, proxy community visitors, and allow distant code execution (RCE). Venom Loader in the meantime makes use of the sufferer’s pc title to encode payloads, thus customizing them for every sufferer as an additional personalization tactic.
Venom Spider is a risk actor recognized for providing varied MaaS instruments reminiscent of VenomLNK, TerraLoader, TerraStealer, and TerraCryptor which might be broadly utilized by teams reminiscent of FIN6 and Cobalt for cyberattacks. Actually, FIN6 was seen leveraging Venom Spider’s MaaS platform in October, in a spear-phishing marketing campaign spreading a novel backdoor dubbed “more_eggs” able to executing secondary malware payloads.
Even “More_Eggs”
That platform apparently has been enhanced but once more, this time with two new malware households noticed in current phishing campaigns. RevC2, noticed by researchers in a marketing campaign that occurred from August to September, used an API documentation lure to ship the novel payload.
The assault started with with a VenomLNK file that comprises an obfuscated batch (BAT) script that when executed downloads a PNG picture from the web site hxxp://gdrive[.]relaxation:8080/api/API.png. The PNG picture goals to lure the sufferer with a doc that’s titled “APFX Media API Documentation.”
Upon execution, RevC2 used two checks for particular system standards after which executed provided that they each cross, to make sure it is launched as a part of an assault chain, and never in evaluation environments reminiscent of sandboxes.
As soon as launched, the backdoor’s capabilities embody the power to: talk with the C2 utilizing a C++ library referred to as “websocketpp”; steal passwords and cookies from Chromium browsers; take screenshots of the sufferer’s system; proxy community knowledge utilizing the SOCK5 protocol; and execute instructions as a unique consumer utilizing the stolen credentials.
A second marketing campaign occurring between September and October used a cryptocurrency lure to ship Venom Loader, which in flip unfold a JavaScript backdoor offering RCE capabilities that the researchers dubbed “More_eggs lite.” The malware is so-named as a result of it has fewer capabilities than the beforehand found “more_eggs,” ThreatLabz safety researcher Muhammed Irfan V A famous within the submit.
“Though it’s a JS backdoor delivered by way of VenomLNK, the variant solely contains the potential to carry out RCE,” he wrote.
One notable function of Venom Loader is that the DLL file it used within the noticed marketing campaign is customized constructed for every sufferer and is used to load the subsequent stage, in line with ThreatLabz.
The loader is downloaded from :hxxp://170.75.168[.]151/%computername%/aaa, “the place the %computername% worth is an surroundings variable which comprises the pc title of the system,” Irfan V A wrote.
Venom Loader then makes use of %computername% because the hardcoded XOR key to encode its phases of assault, which on this case executes the More_eggs lite backdoor for attackers to hold out RCE.
MaaS Capabilities Anticipated to Increase
ThreatLabz believes that the brand new malware included in Venom Spider’s MaaS platform “are early variations, and anticipate extra options and anti-analysis strategies to be added sooner or later,” Irfan V A wrote.
Zscaler detected the malware utilizing each a sandbox and its cloud safety platform, which detected the next threat-name indictors associated to the marketing campaign: LNK.Downloader.VenomLNK; Win32.Backdoor.RevC2; and Win32.Downloader.VenomLoader.
Zscaler is also offering a Python script that emulates RevC2’s WebSocket server on its GitHub repository in addition to included a protracted record of indicators of compromise (IoCs) within the weblog submit so defenders can examine their respective group’s programs for proof of the malware.