A recent discovery by Zscaler ThreatLabz revealed that the notorious threat actor known as “Venom Spider” is expanding its cybercriminal capabilities through their malware-as-a-service (MaaS) platform. The team at Zscaler uncovered two separate attacks between August and October utilizing a new backdoor called RevC2 and a loader named Venom Loader, both attributed to the Venom Spider MaaS tools.
The RevC2 backdoor is particularly nefarious as it utilizes WebSockets to communicate with its command-and-control (C2) server, enabling it to steal cookies and passwords, proxy network traffic, and facilitate remote code execution (RCE). On the other hand, Venom Loader utilizes the victim’s computer name to encode payloads, providing a personalized touch for each target.
Venom Spider is notorious for offering various MaaS tools such as VenomLNK, TerraLoader, TerraStealer, and TerraCryptor, which are frequently used by cybercriminal groups like FIN6 and Cobalt for their malicious activities. In fact, FIN6 was recently observed utilizing Venom Spider’s MaaS platform in a spear-phishing campaign back in October, distributing a new backdoor called “more_eggs” capable of executing secondary malware payloads.
Moreover, Zscaler ThreatLabz uncovered two new malware families in recent phishing campaigns associated with Venom Spider’s MaaS platform. One of these new threats, RevC2, leveraged an API documentation lure to deliver its payload during a campaign observed between August and September. This payload was distributed through a VenomLNK file containing an obfuscated batch script that downloaded a PNG image from a specific website to entice the victim.
The second campaign, occurring between September and October, utilized a cryptocurrency lure to deliver the Venom Loader, which in turn spread a JavaScript backdoor enabling RCE capabilities, dubbed “More_eggs lite.” This variant, while a JS backdoor delivered through VenomLNK, only provided RCE capabilities, showing a new evolution in the Venom Spider malware arsenal.
It is worth noting that Venom Loader is customized for each victim, with a DLL file crafted specifically for each target to load the subsequent attack stage. This customized approach using the victim’s computer name as an XOR key adds an extra layer of complexity to the attack, ensuring personalized and effective malicious operations.
ThreatLabz anticipates that the new malware variants seen in Venom Spider’s MaaS platform are just the beginning, with more features and anti-analysis techniques expected to be added in the future. Zscaler’s detection methods include sandbox analysis and their cloud security platform, which flagged threat-name indicators related to the campaigns, such as LNK.Downloader.VenomLNK, Win32.Backdoor.RevC2, and Win32.Downloader.VenomLoader.
For defenders looking to protect their systems, Zscaler has provided a Python script that emulates RevC2’s WebSocket server on their GitHub repository. Additionally, a comprehensive list of indicators of compromise (IoCs) has been shared in their blog post to assist organizations in identifying and mitigating the impact of these sophisticated malware campaigns.