Full Report
The threat actors behind the More_eggs malware have been linked to two new malware families, indicating an expansion of its malware-as-a-service (MaaS) operation. This includes a novel information-stealing backdoor called RevC2 and a loader codenamed Venom Loader, both of which are deployed using VenomLNK, a staple tool that serves as an initial access vector for the deployment of follow-on
Analysis Summary
# Tool/Technique: RevC2 Backdoor
## Overview
RevC2 is a novel information-stealing backdoor that communicates with its Command and Control (C2) server using WebSockets. It is being deployed by the Venom Spider threat actor as part of the expanded Malware-as-a-Service (MaaS) operation run by the More\_eggs group.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Implicitly Windows (based on typical TTPs associated with these groups and malware capabilities)
- Capabilities: Steal passwords and cookies, proxy network traffic (SOCKS5), execute remote code (RCE), execute shell commands, take screenshots.
- First Seen: Campaigns observed between August and October 2024.
## MITRE ATT&CK Mapping
*(Mappings are inferred based on described capabilities)*
- TA0003 - Persistence & TA0011 - Command and Control
- T1071 - Application Layer Protocol (via WebSockets)
- T1573 - Encrypted Channel
- T1056 - Input Capture
- T1056.001 - Keylogging (Implied via password theft / capability to observe activity)
- T1082 - System Information Discovery (Implied via reconnaissance for credentials)
## Functionality
### Core Capabilities
- Steal passwords and cookies from Chromium-based web browsers.
- Execute arbitrary shell commands remotely.
- Take screenshots of the compromised system.
- Proxy network traffic using SOCKS5 protocol.
### Advanced Features
- Utilizes WebSockets for C2 communication, potentially aiding in evasion through common web traffic patterns.
- Capable of executing commands under a different user context.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: [Not explicitly provided in the text]
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: C2 communication over WebSockets (IP/Domain **defanged**)
- Behavioral Indicators: Establishing WebSocket connections to remote C2, attempts to harvest browser data, use of SOCKS5 proxying.
## Associated Threat Actors
- Venom Spider (aka Golden Chickens)
- Associated with the More\_eggs MaaS operations.
## Detection Methods
- Detection should focus on unexpected outbound WebSocket traffic, especially if connecting to known malicious infrastructure.
- Monitoring for attempts to access Chromium browser data stores (e.g., cookie or profile databases).
- Monitoring for process activity involving command execution following network beacons.
- [YARA rules if available]: [Not explicitly provided in the text]
## Mitigation Strategies
- Implement strict egress filtering to restrict outbound access, particularly to unknown IP addresses or dynamic ports often used for C2.
- Enforce Multi-Factor Authentication (MFA) to mitigate compromise via stolen credentials.
- Use endpoint detection and response (EDR) solutions capable of monitoring process activity and network connections at the API level.
- Regularly audit and limit permissions for user accounts, especially those used for browsing activities.
## Related Tools/Techniques
- VenomLNK (Used as the initial access vector/dropper)
- Venom Loader (Used alongside RevC2 in different campaigns)
- More\_eggs (The overarching MaaS platform)
***
# Tool/Technique: Venom Loader
## Overview
Venom Loader is a new malware loader designed to be customized for each victim by encoding its payload using the victim's local computer name. It is used by the Venom Spider threat actors to deploy follow-on payloads, specifically More\_eggs lite.
## Technical Details
- Type: Malware (Loader)
- Platform: Implicitly Windows
- Capabilities: Load and execute secondary payloads (More\_eggs lite), custom payload encoding based on victim's hostname.
- First Seen: Campaigns observed between August and October 2024.
## MITRE ATT&CK Mapping
*(Mappings are inferred based on loader functionality)*
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File (Used after initial delivery via VenomLNK)
- T1059 - Command and Scripting Interpreter (Used to execute the final payload)
## Functionality
### Core Capabilities
- Receives and decrypts/deobfuscates secondary malware.
- Customizes its operational parameters (encoding) based on the target machine's identity (computer name).
### Advanced Features
- Victim-specific encoding mechanism for payloads, potentially intended to hinder generic detection based on file content signatures.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: [Not explicitly provided in the text]
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: May communicate for secondary payload retrieval (C2, **defanged**).
- Behavioral Indicators: Execution following initial access, attempting to launch More\_eggs lite variants.
## Associated Threat Actors
- Venom Spider (aka Golden Chickens)
- Associated with the More\_eggs MaaS operations.
## Detection Methods
- Detection focuses on the behavior of loading subsequent payloads, particularly the execution chain stemming from VenomLNK.
- Monitoring for abnormal encoded data structures characteristic of this loader.
- [YARA rules if available]: [Not explicitly provided in the text]
## Mitigation Strategies
- Strong application allow-listing to prevent unauthorized loaders from executing.
- Implement robust monitoring of file executions initiated from file extension lures (like those dropped by VenomLNK).
## Related Tools/Techniques
- VenomLNK (Used as the initial access vector/dropper)
- More\_eggs lite (The payload delivered by Venom Loader)
***
# Tool/Technique: VenomLNK
## Overview
VenomLNK is a staple initial access tool used by the Venom Spider threat group. It functions by displaying a decoy image (PNG) to the user while simultaneously executing malware, most often RevC2 or Venom Loader.
## Technical Details
- Type: Attack Tool / Delivery Mechanism
- Platform: Implicitly Windows (due to reliance on exploiting LNK file properties)
- Capabilities: Initial execution, decoy delivery (PNG image), hiding execution of malicious code.
- First Seen: Used in observed campaigns between August and October 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If delivered via email/download)
- T1202 - Privilege Escalation (Indirectly, by leveraging LNK execution)
- T1071 - Application Layer Protocol (If C2 traffic generated by deployed malware)
## Functionality
### Core Capabilities
- Acts as a dropper/delivery vehicle.
- Executes secondary malware stealthily while presenting a seemingly harmless file (a PNG image lure) to the user.
### Advanced Features
- Exploiting the behavior of Windows Shortcut files (.LNK) to trigger payload execution upon interaction.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: Files disguised as PNGs but possessing LNK attributes.
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: [N/A for the LNK file itself, only for subsequent payloads]
- Behavioral Indicators: Execution of binaries/scripts triggered by opening a LNK file that should only display an image.
## Associated Threat Actors
- Venom Spider (aka Golden Chickens)
- Associated with the More\_eggs MaaS operations.
## Detection Methods
- EDR systems should monitor for process execution following the opening or access of LNK files, especially if the LNK file path does not correspond to expected system behavior.
- Signature detection on known LNK file artifacts used by this group.
- [YARA rules if available]: [Not explicitly provided in the text]
## Mitigation Strategies
- Disable execution of potentially malicious files distributed via external sources (e.g., cloud storage, email attachments).
- Educate users to be wary of opening files, even if they appear to be benign images or documents, especially if received unexpectedly.
## Related Tools/Techniques
- RevC2 (Potential payload)
- Venom Loader (Potential payload)
- More\_eggs (Associated with the threat actor)