Unveiling RevC2 and Venom Loader
Dec. 10, 2024, 2:04 p.m.
Description
Between August and October 2024, two new malware families, RevC2 and Venom Loader, were deployed using Venom Spider's Malware-as-a-Service tools. RevC2 uses WebSockets for C2 communication and can steal cookies and passwords, proxy network traffic, and enable remote code execution. Venom Loader is customized for each victim, using the computer name to encode the payload. The first campaign used an API documentation lure to deliver RevC2, while the second campaign used a cryptocurrency transaction lure to deliver Venom Loader and Retdoor, a JavaScript backdoor. Both campaigns demonstrate sophisticated attack chains and highlight the evolving threat landscape.
Tags
Date
- Created: Dec. 10, 2024, 1:45 p.m.
- Published: Dec. 10, 2024, 1:45 p.m.
- Modified: Dec. 10, 2024, 2:04 p.m.
Indicators
- f93134f9b4ee2beb1998d8ea94e3da824e7d71f19dfb3ce566e8e9da65b1d7a2
- cf45f68219c4a105fffc212895312ca9dc7f4abe37306d2f3b0f098fb6975ec7
- 9b0b58aa10577244bc0e174d588ffa8d34a54a34c1b59371acba52772b584707
- 8e16378a59eb692de2c3a53b8a966525b0d36412bfd79c20b48c2ee546f13d04
- 46a982ec4ea400f8df403fa8384e1752dca070bd84beef06284f1d412e159e67
- 153cd5a005b553927a94cc7759a8909bd1b351407d8d036a1bf5fcf9ee83192e
- 65.38.121.211
- 208.85.17.52
- 170.75.168.151
- http://nopsec.org:8082/
- http://65.38.121.211/api/infos
Attack Patterns
- TerraCryptor
- TerraStealer
- TerraLoader
- VenomLNK
- Retdoor
- Venom Loader
- RevC2
- Venom Spider
- T1539
- T1574.002
- T1571
- T1547.001
- T1555
- T1113
- T1071.001
- T1140
- T1041
- T1090
- T1059