The risk actors behind the More_eggs malware have been linked to 2 new malware households, indicating an growth of its malware-as-a-service (MaaS) operation.
This features a novel information-stealing backdoor referred to as RevC2 and a loader codenamed Venom Loader, each of that are deployed utilizing VenomLNK, a staple software that serves as an preliminary entry vector for the deployment of follow-on payloads.
“RevC2 uses WebSockets to communicate with its command-and-control (C2) server. The malware is capable of stealing cookies and passwords, proxies network traffic, and enables remote code execution (RCE),” Zscaler ThreatLabz researcher Muhammed Irfan V A mentioned.
“Venom Loader is a new malware loader that is customized for each victim, using the victim’s computer name to encode the payload.”
Each the malware households have been distributed as a part of campaigns noticed by the cybersecurity firm between August and October 2024. The risk actor behind the e-crime choices is tracked as Venom Spider (aka Golden Chickens).
The precise distribution mechanism is at the moment not identified, however the start line of one of many campaigns is VenomLNK, which, in addition to displaying a PNG decoy picture, executes RevC2. The backdoor is provided to steal passwords and cookies from Chromium browsers, execute shell instructions, take screenshots, proxy site visitors utilizing SOCKS5, and run instructions as a unique consumer.
The second marketing campaign additionally begins with VenomLNK to ship a lure picture, whereas additionally stealthily executing Venom Loader. The loader is chargeable for launching More_eggs lite, a light-weight variant of the JavaScript backdoor that solely supplies RCE capabilities.
The brand new findings are an indication that the malware authors are persevering with to refresh and refine their customized toolset with new malware even though two people from Canada and Romania have been outed final 12 months as working the MaaS platform.
The disclosure comes as ANY.RUN detailed a beforehand undocumented fileless loader malware dubbed PSLoramyra, which has been used to ship the open-source Quasar RAT malware.
“This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access,” it mentioned.
