CSC News Table of Contents
In a concerning development, More_eggs Malware is expanding with RevC2 and Venom Loader, introducing two powerful tools to its already notorious Malware-as-a-Service (MaaS) platform.
Researchers have discovered a new backdoor, RevC2, and a customized loader called Venom Loader. These additions highlight how threat actors are refining their tactics to target victims with greater precision.
Key Takeaway to More_eggs Malware:
- More_eggs Malware: The More_eggs MaaS platform has added the RevC2 backdoor and Venom Loader, signaling its ongoing evolution and increased risk to organizations.
Introduction to More_eggs Malware
The More_eggs malware, operated by the group known as Venom Spider (also called Golden Chickens), has been a formidable force in the cybercrime world. Known for its stealthy attacks, the platform provides hacking tools to other criminals through a MaaS model.
Recently, two new malware families – RevC2 and Venom Loader – were discovered, indicating that this operation is growing more sophisticated. These tools are deployed using VenomLNK, a malicious shortcut file that also displays a harmless-looking image to fool victims.
What Are RevC2 and Venom Loader?
Let’s break down the two new malware tools:
RevC2: A Versatile Backdoor
RevC2 is a powerful backdoor that connects to its command-and-control (C2) server using WebSockets. Here’s what it can do:
| Feature | Details |
|---|---|
| Data Theft | Steals cookies and saved passwords from browsers. |
| Network Proxying | Uses SOCKS5 to proxy network traffic. |
| Remote Code Execution | Allows hackers to run malicious commands on the infected device. |
| Screenshot Capture | Takes screenshots of the victim’s activities. |
Venom Loader: A Customizable Payload
Venom Loader is tailored for each victim. It uses the computer’s name to encode its payload, making it unique and harder to detect.
Its role is to deliver a lightweight version of the More_eggs malware, which focuses on enabling remote code execution (RCE).
How Are These Tools Delivered?
The campaigns observed between August and October 2024 reveal the following attack flow:
| Step | Details |
|---|---|
| Initial Access | Starts with VenomLNK, which looks like a regular shortcut file. |
| Lure Image Displayed | A harmless PNG image is shown to avoid suspicion. |
| Malware Execution | Simultaneously, RevC2 or Venom Loader is deployed in the background. |
| Payload Activation | Once installed, the malware establishes contact with the C2 server for further commands. |
This method ensures that the attack remains under the radar until it’s too late.
A Closer Look at Venom Spider
Venom Spider, the group behind More_eggs, is no stranger to controversy. Despite arrests linked to the operation in Canada and Romania, the platform continues to thrive, offering hacking tools to clients worldwide.
The addition of RevC2 and Venom Loader demonstrates the group’s resilience and commitment to innovation.
The Bigger Picture: Other Emerging Threats
In related news, analysts at ANY.RUN have identified PSLoramyra, a fileless malware loader. This advanced threat uses PowerShell and scripts to inject malicious payloads directly into system memory. It’s often used to deliver Quasar RAT, an open-source remote access tool.
These developments underscore the rising complexity of modern cyber threats. For instance, in a 2023 attack, hackers used a similar loader to target healthcare systems, causing significant disruptions.
How to Protect Against More_eggs Malware
Fighting back against sophisticated threats like More_eggs Malware Expands with RevC2 and Venom Loader requires a proactive approach. Here’s what you can do:
- Educate Your Team: Train employees to recognize phishing emails and suspicious files.
- Update Software: Keep systems and antivirus programs updated to detect the latest threats.
- Monitor Network Traffic: Use advanced tools to identify unusual activity, such as unauthorized WebSocket connections.
- Isolate Infections Quickly: Segment infected systems to prevent malware from spreading.
Conclusion
The discovery that More_eggs Malware Expands with RevC2 and Venom Loader is a reminder of the ever-changing cyber threat landscape. With new tools like RevC2 and Venom Loader, attackers are getting smarter, forcing businesses to stay vigilant.
By staying informed and adopting robust cybersecurity practices, organizations can protect themselves from these evolving threats.
About Venom Spider
Venom Spider, also known as Golden Chickens, operates the More_eggs MaaS platform. This group specializes in creating malware tools for other criminals. Despite legal setbacks, they remain a leading name in the cybercrime world, continually upgrading their arsenal to evade detection and cause maximum damage.
FAQ
What is RevC2 malware?
RevC2 is a backdoor that steals data, proxies traffic and allows hackers to execute commands remotely.
How does Venom Loader work?
Venom Loader customizes its payload for each victim and delivers lightweight More_eggs malware variants.
What is the role of VenomLNK?
VenomLNK is a shortcut file that initiates the malware attack while displaying a harmless decoy image.
Who operates More_eggs malware?
It’s run by Venom Spider, a cybercrime group known for its Malware-as-a-Service platform.
How can I protect my business?
Use updated antivirus programs, train employees to spot phishing attempts, and monitor network activity for unusual behavior.
For a deeper dive into emerging malware trends, check Zscaler’s ThreatLabz blog.
