Venom Spider Spins Web of New Malware for MaaS Platform

Summary:
A known threat actor in the Malware-as-a-Service business, Venom Spider, has expanded the capabilities of their MaaS platform with a new backdoor and loader malware. This newer malware has been detected by Zscaler in two separate intrusions occurring between August and October 2024. In these attacks, Zscaler discovered a new backdoor, called RevC2, and a new loader dubbed Venom Loader was being deployed by the adversary by leveraging Venom Spider’s MaaS tools. Venom Loader is customized for each intrusion attempt, using the victim’s computer name to encode its payload.

Campaign 1: API documentation lure leads to RevC2

The first campaign occurred from August to September and used an API documentation lure to deliver RevC2, a backdoor that can steal sensitive data from the victim’s machine. Although the distribution method of the VenomLNK file is unknown, the attack begins with this file which contains an obfuscated script that downloads the API documentation lure and triggers the execution of RevC2 in the background. Upon execution, RevC2 runs some sandbox detection checks and is launched only if the checks pass. RevC2 uses WebSockets for C2 communication with the help of a C++ library, websocketpp, and the C2 address is hardcoded. The data transmitted to the C2 server are JSON objects. Supported RevC2 commands allow the adversary to execute shell commands, steal Chromium browser passwords, proxy traffic, steal cookies, and take screenshots.

Campaign 2: Crypto transaction lure leads to Venom Loader and More_eggs lite malware

The second campaign, occurring from September to October, uses a cryptocurrency transaction lure to deliver Venom Loader. Venom Loader then deploys More_eggs lite, a JavaScript (JS) backdoor providing remote code execution (RCE) capabilities to the adversary. This variant “More_eggs lite” only includes the capability to perform remote code execution (RCE). The beginning stages of the attack are similar to the first campaign in that the LNK file contains an obfuscated script that displays the lure image to the victim while executing malicious processes in the background. The custom-built Venom Loader DLL is used to load the next stage. A VBS script created by Venom Loader executes More_eggs lite by running merge.ps1, a script written by Venom Loader, and establishes persistence by adding merge.ps1 to the autorun registry key.

Security Officer Comments:
Zscaler ThreatLabz notes observing numerous campaigns utilizing these two new malware families. The novelty of the malware in conjunction with the volume of attacks and use of Venom Spider’s MaaS tools for delivery may indicate the malware is in their early versions and more features are expected to be implemented in the future. The use of Venom Spider’s MaaS tools also makes it difficult to discern attribution for these attacks, as the tools have been known to be used by APT groups such as FIN6 and Cobalt in the past, but there is no high-confidence indicator that allows Zscaler to link this activity to any specific threat group. The lack of targeted activity based on the lures used in this campaign highlights these campaigns’ opportunistic nature. Comprehensive endpoint security solutions are valuable tools that are conducive to organizations maintaining a robust security posture that can defend against similar attacks.

Suggested Corrections:
IOCs are available here.

Zscaler ThreatLabz created a useful Python script that emulates a RevC2 server. The script is available in their GitHub repository.

The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. Users should adhere to the following recommendations:
  • Do not open emails or download software from untrusted sources.
  • Do not click on links or attachments in emails that come from unknown senders.
  • Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion).
  • Always verify the email sender's email address, name, and domain.
  • Backup important files frequently and store them separately from the main system.
  • Protect devices using antivirus, anti-spam, and anti-spyware software.
  • Report phishing emails to the appropriate security or IT staff immediately.
Link(s):
https://www.darkreading.com/cyberattacks-data-breaches/venom-spider-malware-maas-platform

https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader