Cybersecurity researchers have identified a significant escalation in the operations of the More_eggs malware-as-a-service (MaaS) platform, now linked to two newly discovered malware families. These additions include the RevC2 information-stealing backdoor and a versatile malware loader, Venom Loader, both leveraging VenomLNK as an initial entry mechanism for their nefarious campaigns.
New Malware Arsenal: RevC2 and Venom Loader
The RevC2 backdoor, notable for its reliance on WebSockets for communication with its command-and-control (C2) server, boasts an array of intrusive capabilities. According to Zscaler ThreatLabz researcher Muhammed Irfan V A, RevC2 can:
- Extract cookies and saved passwords.
- Proxy network traffic to mask malicious activity.
- Facilitate remote code execution (RCE) for further exploitation.
On the other hand, Venom Loader, designed with victim-specific customizations, encodes its payload using the computer name of the target. This tailored approach ensures precision in its attacks, heightening the threat posed by this advanced loader.
Recent Campaign Activity
These malware families were actively deployed between August and October 2024 in campaigns orchestrated by the threat actor known as Venom Spider, also referred to as Golden Chickens. The delivery mechanism for both campaigns centers on VenomLNK, a tool that presents a decoy PNG image to distract victims while executing malicious payloads stealthily.
- Campaign One: Initiates with VenomLNK to deploy RevC2, which pilfers browser-stored credentials and cookies, captures screenshots, executes shell commands, and proxies network traffic using SOCKS5.
- Campaign Two: Utilizes VenomLNK to deliver Venom Loader, which activates a lightweight variant of the More_eggs lite JavaScript backdoor, specifically focused on enabling RCE capabilities.
Evolving Toolsets Despite Setbacks
Despite law enforcement actions last year identifying two individuals in Canada and Romania as operators of the More_eggs MaaS platform, the threat actors have continued to innovate, refining their malware ecosystem to evade detection and bolster their offensive capabilities.
Adding to these findings, researchers from ANY.RUN have spotlighted a previously undocumented fileless loader malware dubbed PSLoramyra. This advanced loader employs PowerShell, VBS, and BAT scripts to inject malicious payloads directly into memory, ensuring stealthy execution and persistent system access. PSLoramyra has been linked to the delivery of the Quasar RAT, an open-source remote access Trojan.
Implications for Cybersecurity
The ongoing evolution of the More_eggs MaaS platform underscores the relentless innovation within the cybercrime ecosystem. These revelations highlight the need for organizations to remain vigilant, implement robust endpoint defenses, and regularly update security protocols to mitigate the risks posed by advanced and highly adaptable threat actors like Venom Spider.
This expansion of their malware portfolio serves as a stark reminder that cybercriminals are not only persistent but also resourceful in enhancing their malicious arsenals to outpace modern security measures.