Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

Summary:
Arctic Wolf Labs has uncovered a recent phishing campaign executed by the financially motivated threat actor Venom Spider (TA4557, GoldenChickens) that leverages the job hiring process to spread the More_eggs backdoor. The campaign targets HR departments and corporate recruiters by sending malicious payloads disguised as resumes within delivered job applications. This represents a tactical shift for Venom Spider, expanding beyond the e-commerce sector to target individuals like recruiters who routinely handle attachments from unknown sources.

The attack chain initiates with a spear-phishing email sent to the victim (hiring manager/recruiter) containing a link that purportedly leads the manager to an external site to download the fake job-seeker’s resume. On the site is a CAPTCHA box that requires user interaction, increasing its legitimacy in the eyes of the target and potentially bypassing automatic security scanning tools. Once CAPTCHA is complete, a ZIP file containing a decoy image and a malicious, polymorphically generated .lnk file (disguised as a resume) is downloaded. Opening the shortcut deceptively launches WordPad while a hidden, obfuscated batch script executes. This script employs the LOLBIN ie4uinit.exe to run a malicious script from %temp%\ieuinit.inf, ultimately dropping and registering the More_eggs_Dropper DLL. This dropper uses polymorphic JavaScript, delayed execution for evasion, RC4-like encryption with brute-force decryption keys, and stores components like msxsl.exe for running embedded XML or JS. A dual-layer encryption scheme employed by the payload incorporates hard-coded keys and system-specific details to thwart sandbox analysis. Once active, the More_eggs backdoor communicates with its C2 server and supports various commands for execution, self-removal, command execution, data exfiltration, and running additional JavaScript. Venom Spider utilizes infrastructure like Amazon-hosted domains and GoDaddy-based C2 servers, employing techniques like domain cloaking using nested subdomains and redirections to evade detection.

Security Officer Comments:
Venom Spider's latest campaign unveils a concerning evolution in their tactics, transitioning to exploiting the workflow within HR departments, a social engineering method made popular by DPRK-sponsored threat actors. By weaponizing job applications, they are effectively targeting a user group accustomed to receiving and opening attachments from unfamiliar senders, as highlighted by Arctic Wolf's analysis. The use of CAPTCHA to bypass automated scanners, polymorphic .lnk files, and Living-Off-the-Land binaries like ie4uinit.exe, and cloaked domains showcases a significant effort aimed at evading traditional security measures. Notably, the implementation of a dual-layer encryption scheme that incorporates system-specific details with hard-coded keys renders sandbox environments largely ineffective and makes analysis of the final stage of the More_eggs backdoor impossible. The shift in focus from primarily financial sectors to HR departments underscores the broad applicability and potential impact of this campaign across various industries. North Korean threat actors have provided numerous examples of the effectiveness of targeting HR and recruiters of critical sector organizations to the cybercriminal community and it appears that more threat actors are beginnign to adopt these techniques This reinforces the critical need for organizations to recognize HR department employees as key cybersecurity stakeholders and implement targeted training and security protocols for employees who handle job hiring to mitigate the risks associated with threats like this, as these schemes continue to become more prevalent.

Suggested Corrections:
IOCs are available here.

Due to Venom Spider’s use of social engineering, including the targeting of corporate HR and other hiring staff with realistic-looking job application phishing emails and actor-controlled “resume” websites, organizations that make use of third-party job posting websites (including sites like LinkedIn, Indeed[.]com and similar) should regularly train employees on identifying and countering spear phishing attacks.

Employees who work in vulnerable departments such as HR and Recruitment should receive additional training that teaches them to always be extra-wary of attachments that are LNK, ISO, or VBS files. These file types are often sent as zip files to bypass email filters. Employees should be taught to routinely inspect attachment files by right-clicking the file and selecting “Properties” (on Windows) or “Get Info” (on Mac) before opening them.

In addition, organizations can protect themselves by exercising the following measures:
  • Consider the use of Secure Email Gateway solutions to help proactively filter out malicious emails.
  • Implement an Endpoint Detection and Response (EDR) solution.
  • Ensure all employees throughout the company are aware of good security hygiene practices, including awareness of social engineering.
  • Add or enable a phishing report button in your organization’s email solution to empower employees to immediately report suspected phishing emails to your SOC or IT security team.
  • Consider conducting regular internal phishing tests to reinforce security training.
  • Block identified command-and-control infrastructure used in this campaign.
  • Deploy detection rules for More_eggs components.
  • Carefully review logs for indicators of compromise.
Link(s):
https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/