Threat actors for More_eggs malware have been linked to two new malware families, indicating the expansion of their malware-as-a-service (MaaS) activities.
This includes a new information-stealing backdoor called RevC2 and a bootloader codenamed Venom Loader, both of which are deployed using VenomLNK, the primary tool that serves as the initial access vector to deploy subsequent payloads.
“RevC2 uses WebSockets to communicate with its command and control (C2) server. The malware is capable of stealing cookies and passwords, proxying network traffic and providing remote code execution (RCE),” Zscaler ThreatLabz researcher Muhammad Irfan V.A. said.
“Venom Loader is a new malware loader that is customized for each victim and uses the victim’s computer name to encode the payload.”
Both malware families were distributed in campaigns observed by the cybersecurity firm between August and October 2024. The threat behind cybercrime offers is tracked as Venom Spider (aka Golden Chickens).
The exact distribution mechanism is still unknown, but the starting point of one of the companies is VenomLNK, which, in addition to displaying a PNG decoy image, executes RevC2. The backdoor is equipped to steal passwords and cookies from Chromium browsers, execute shell commands, take screenshots, proxy traffic using SOCKS5, and execute commands on behalf of another user.
The second campaign also starts with VenomLNK to deliver the decoy image and also execute the Venom Loader stealthily. The bootloader is responsible for running More_eggs lite, a lightweight version JavaScript backdoor which only provides RCE capabilities.
The new findings are a sign that malware writers continue to update and improve their toolkit with new malware, despite the fact that two people with Canada and Romania were released last year as running on a MaaS platform.
The disclosure comes after ANY.RUN detailed a previously undocumented fileless bootloader malware called PSLoramyra that was used to deliver the open-source Quasar RAT malware.
“This advanced malware uses PowerShell, VBS, and BAT scripts to inject malicious payloads into the system, execute them directly in memory, and establish persistent access,” it said. said.