Summary:
The article discusses the emergence of two new malware families, RevC2 and Venom Loader, associated with the threat actor Venom Spider, known for its Malware-as-a-Service (MaaS) offerings. These malware families were identified during campaigns from August to October 2024, utilizing various techniques for data exfiltration and remote code execution. The analysis includes the attack chains, communication protocols, and the capabilities of these malware variants.
#VenomSpider #MalwareAnalysis #ThreatIntelligence
The article discusses the emergence of two new malware families, RevC2 and Venom Loader, associated with the threat actor Venom Spider, known for its Malware-as-a-Service (MaaS) offerings. These malware families were identified during campaigns from August to October 2024, utilizing various techniques for data exfiltration and remote code execution. The analysis includes the attack chains, communication protocols, and the capabilities of these malware variants.
#VenomSpider #MalwareAnalysis #ThreatIntelligence
Keypoints:
Venom Spider is a threat actor known for offering Malware-as-a-Service tools.
Two new malware families, RevC2 and Venom Loader, were uncovered between August and October 2024.
RevC2 uses WebSockets for C2 communication and can steal cookies and passwords.
Venom Loader is customized for each victim and encodes payloads using the victim’s computer name.
The first campaign used an API documentation lure to deliver RevC2.
The second campaign utilized a cryptocurrency transaction lure to deliver Venom Loader and More_eggs lite.
RevC2 supports various commands including stealing passwords, executing shell commands, and taking screenshots.
Venom Loader establishes persistence for More_eggs lite by adding a script to the autorun registry key.
Zscaler’s cloud security platform has detected indicators related to these malware families.
MITRE Techniques
Registry Run Keys / Startup Folder (T1547.001): Venom Loader uses autorun key for persistence.
Deobfuscate/Decode Files or Information (T1140): More_eggs lite’s JS content is XOR’ed and base64-encoded.
DLL Side-Loading (T1574.002): Venom Loader is executed by ApplicationFrameHost.exe and goes on to sideload dxgi.dll.
Steal Web Session Cookie (T1539): RevC2 steals cookies from browsers.
Credentials from Password Stores (T1555): RevC2 steals saved passwords from browsers.
Screen Capture (T1113): RevC2 takes screenshots of the victim’s screen.
Proxy (T1090): RevC2 has a command which proxies traffic.
Command and Scripting Interpreter (T1059): RevC2 and More_eggs lite both have RCE capabilities.
Non-Standard Port (T1571): RevC2 conducts C2 communications through a non-standard port.
Application Layer Protocol: Web Protocols (T1071.001): RevC2 uses WebSocket for C2 communication; More_eggs lite uses HTTP for C2 communication.
Exfiltration Over C2 Channel (T1041): RevC2 and More_eggs lite are capable of exfiltrating stolen information over the C2 channel.
IoC:
[file hash] 9b0b58aa10577244bc0e174d588ffa8d34a54a34c1b59371acba52772b584707
[file hash] 46a982ec4ea400f8df403fa8384e1752dca070bd84beef06284f1d412e159e67
[file hash] cf45f68219c4a105fffc212895312ca9dc7f4abe37306d2f3b0f098fb6975ec7
[file hash] 153cd5a005b553927a94cc7759a8909bd1b351407d8d036a1bf5fcf9ee83192e
[file hash] 8e16378a59eb692de2c3a53b8a966525b0d36412bfd79c20b48c2ee546f13d04
[url] hxxp://170.75.168[.]151:8080/transaction.pdf.lnk
[url] ws://208.85.17[.]52:8082
[url] ws://nopsec.org:8082
[url] hxxp://65.38.121[.]211/api/infos
Full Research: https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader