Additional_eggs MaaS Expands Activities with Venom Loader and RevC2 Backdoor
Two new malware families have been connected to the threat actors responsible for the More_eggs malware, suggesting that its malware-as-a-service (MaaS) business model has expanded. VenomLNK, a standard tool that acts as an initial access vector for the deployment of follow-on payloads, is used to distribute the loader nicknamed Venom Loader and a new information-stealing backdoor called RevC2. "RevC2 communicates with its command-and-control (C2) server via WebSockets.
Two new malware families have been connected to the threat actors responsible for the More_eggs malware, suggesting that its malware-as-a-service (MaaS) business model has expanded. VenomLNK, a standard tool that acts as an initial access vector for the deployment of follow-on payloads, is used to distribute the loader nicknamed Venom Loader and a new information-stealing backdoor called RevC2. "RevC2 communicates with its command-and-control (C2) server via WebSockets. The malware can proxy network traffic, harvest passwords and cookies, and allow remote code execution (RCE), according to Zscaler ThreatLabz researcher Muhammad Irfan V A. "Venom Loader is a new malware loader that is customized for each victim, using the victim's computer name to encode the payload."
Between August and October 2024, the cybersecurity firm saw efforts that involved the distribution of both malware families. Venom Spider, also known as Golden Chickens, is the threat actor responsible for the e-crime offerings. Although the precise distribution method is yet unknown, VenomLNK serves as the launchpad for one of the campaigns and performs RevC2 in addition to presenting a PNG decoy image. The backdoor can perform shell commands, take screenshots, use SOCKS5 to proxy traffic, run commands as a different user, and collect passwords and cookies from Chromium browsers. In order to offer a lure picture and execute Venom Loader covertly, the second campaign also starts using VenomLNK. More_eggs lite, a streamlined version of the JavaScript backdoor, is launched by the loader.
Even though two people from Canada and Romania were exposed as operating the MaaS platform last year, the latest discoveries indicate that the malware authors are still updating and improving their unique toolkit with new infections. The revelation coincides with ANY.RUN's description of PSLoramyra, a fileless loader malware that was previously unknown and used to distribute the open-source Quasar RAT malware. "This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access," it stated.