The risk actors behind the More_eggs malware have been linked to 2 new malware households, indicating an growth of its malware-as-a-service (MaaS) operation.
This features a novel information-stealing backdoor referred to as RevC2 and a loader codenamed Venom Loader, each of that are deployed utilizing VenomLNK, a staple software that serves as an preliminary entry vector for the deployment of follow-on payloads.
“RevC2 makes use of WebSockets to speak with its command-and-control (C2) server. The malware is able to stealing cookies and passwords, proxies community site visitors, and permits distant code execution (RCE),” Zscaler ThreatLabz researcher Muhammed Irfan V A stated.
“Venom Loader is a brand new malware loader that’s personalized for every sufferer, utilizing the sufferer’s laptop identify to encode the payload.”
Each the malware households have been distributed as a part of campaigns noticed by the cybersecurity firm between August and October 2024. The risk actor behind the e-crime choices is tracked as Venom Spider (aka Golden Chickens).
The precise distribution mechanism is presently not identified, however the place to begin of one of many campaigns is VenomLNK, which, in addition to displaying a PNG decoy picture, executes RevC2. The backdoor is supplied to steal passwords and cookies from Chromium browsers, execute shell instructions, take screenshots, proxy site visitors utilizing SOCKS5, and run instructions as a unique person.
The second marketing campaign additionally begins with VenomLNK to ship a lure picture, whereas additionally stealthily executing Venom Loader. The loader is liable for launching More_eggs lite, a light-weight variant of the JavaScript backdoor that solely supplies RCE capabilities.
The brand new findings are an indication that the malware authors are persevering with to refresh and refine their customized toolset with new malware although two people from Canada and Romania had been outed final yr as working the MaaS platform.
The disclosure comes as ANY.RUN detailed a beforehand undocumented fileless loader malware dubbed PSLoramyra, which has been used to ship the open-source Quasar RAT malware.
“This superior malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads right into a system, execute them immediately in reminiscence, and set up persistent entry,” it stated.
