The threat actors behind the More_eggs malware have been linked to two new malware families, indicating an expansion of its malware-as-a-service (MaaS) operation.
This includes a novel information-stealing backdoor called RevC2 and a loader codenamed Venom Loader, both of which are deployed using VenomLNK, a staple tool that serves as an initial access vector for the deployment of follow-on payloads.
“RevC2 uses WebSockets to communicate with its command-and-control (C2) server. The malware is capable of stealing cookies and passwords, proxies network traffic, and enables remote code execution (RCE),” Zscaler ThreatLabz researcher Muhammed Irfan V A said.
“Venom Loader is a new malware loader that is customized for each victim, using the victim’s computer name to encode the payload.”
Both the malware families have been distributed as part of campaigns observed by the cybersecurity company between August and October 2024. The threat actor behind the e-crime offerings is tracked as Venom Spider (aka Golden Chickens).
The exact distribution mechanism is currently not known, but the starting point of one of the campaigns is VenomLNK, which, besides displaying a PNG decoy image, executes RevC2. The backdoor is equipped to steal passwords and cookies from Chromium browsers, execute shell commands, take screenshots, proxy traffic using SOCKS5, and run commands as a different user.
The second campaign also begins with VenomLNK to deliver a lure image, while also stealthily executing Venom Loader. The loader is responsible for launching More_eggs lite, a lightweight variant of the JavaScript backdoor that only provides RCE capabilities.
The new findings are a sign that the malware authors are continuing to refresh and refine their custom toolset with new malicious programs despite the fact that two individuals from Canada and Romania were outed last year as running the MaaS platform.
The disclosure comes as ANY.RUN detailed a previously undocumented fileless loader malware dubbed PSLoramyra, which has been used to deliver the open-source Quasar RAT malware.
“This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access,” it said.