More_eggs malware hatches two new variants for MaaS operation

News
By
published

Venom Spider builds two new malware variants and uses them in attacks.

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Security researchers found two new malware variants, an infostealer and a loader
  • The developers seem to be the same group that's behind more_eggs
  • The infostealer can grab passwords, cookies, and more

Venom Spider, a threat actor behind the infamous More_eggs malware, is expanding its malware-as-a-service (MaaS) operation. This is according to a new report from cybersecurity researchers Zscaler ThreatLabz, who recently found two new malware families linked to the same developer.

In a detailed report published earlier this week, the researchers said that Venom Spider (also known as Golden Chickens) built an infostealer called RevC2, and a loader named Venom Loader.

The infostealer can grab people’s login credentials, and cookies from Chromium-powered browsers (Chrome, Edge, Brave, and others). It can run shell commands, grab screenshots, and proxy traffic using SOCKS5. Finally, it can run commands as a different user, as well. The loader, on the other hand, is customized for each victim, and uses their computer’s name to encode the payload, it was said.

VenomLNK

The researchers first observed the new malware being used in August this year, and have been tracking it ever since. They don’t know exactly how the malware is distributed to the victims, but suspect it all starts with VenomLNK. This is an initial access tool that the researchers observed being used to deploy both of the above-mentioned malware, while at the same time, showing a decoy PNG image to the victim.

This is not the first time VenomLNK was seen in the wild, as the experts said it was used to deploy More_eggs lite before.

More_eggs is a JavaScript-based loader used to infiltrate systems by downloading and executing additional malicious payloads, typically after gaining an initial foothold through phishing emails or malicious links.

The malware is notorious for its stealthy behavior, as it leverages legitimate processes and tools to evade detection. Attackers often deploy more_eggs to install ransomware, steal sensitive data, or provide remote access to compromised systems.

More_eggs has been around for at least three years, possibly for longer.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.