Today > 13 Critical | 36 High | 32 Medium vulnerabilities   -   You can now download lists of IOCs here!

Unveiling RevC2 and Venom Loader

Dec. 10, 2024, 2:04 p.m.

Tags
2024-12-10
venom loader
terrastealer
revc2
venomlnk
External References
Description

Between August and October 2024, two new malware families, RevC2 and Venom Loader, were deployed using Venom Spider's Malware-as-a-Service tools. RevC2 uses WebSockets for C2 communication and can steal cookies and passwords, proxy network traffic, and enable remote code execution. Venom Loader is customized for each victim, using the computer name to encode the payload. The first campaign used an API documentation lure to deliver RevC2, while the second campaign used a cryptocurrency transaction lure to deliver Venom Loader and Retdoor, a JavaScript backdoor. Both campaigns demonstrate sophisticated attack chains and highlight the evolving threat landscape.

Date

Published: Dec. 10, 2024, 1:45 p.m.

Created: Dec. 10, 2024, 1:45 p.m.

Modified: Dec. 10, 2024, 2:04 p.m.

Indicators

f93134f9b4ee2beb1998d8ea94e3da824e7d71f19dfb3ce566e8e9da65b1d7a2

cf45f68219c4a105fffc212895312ca9dc7f4abe37306d2f3b0f098fb6975ec7

9b0b58aa10577244bc0e174d588ffa8d34a54a34c1b59371acba52772b584707

8e16378a59eb692de2c3a53b8a966525b0d36412bfd79c20b48c2ee546f13d04

46a982ec4ea400f8df403fa8384e1752dca070bd84beef06284f1d412e159e67

153cd5a005b553927a94cc7759a8909bd1b351407d8d036a1bf5fcf9ee83192e

65.38.121.211

208.85.17.52

170.75.168.151

http://nopsec.org:8082/

http://65.38.121.211/api/infos

Download all indicators here!

Attack Patterns

TerraCryptor

TerraStealer

TerraLoader

VenomLNK

Retdoor

Venom Loader

RevC2

Venom Spider

T1539

T1574.002

T1571

T1547.001

T1555

T1113

T1071.001

T1140

T1041

T1090

T1059