Unveiling RevC2 and Venom Loader

  • Initial Access: The attack likely begins with a phishing email containing a malicious LNK file (VenomLNK).
  • Execution: The LNK file executes an obfuscated batch script, which downloads and executes various payloads, including RevC2 and Venom Loader. Venom Loader utilizes DLL side-loading and JavaScript for execution.
  • Persistence: Venom Loader establishes persistence by adding a PowerShell script to the autorun registry key.
  • Command and Control: RevC2 uses WebSockets (ws://208.85.17[.]52:8082) for C2 communication, while More_eggs lite uses HTTP POST requests (/api/infos).
  • Defense Evasion: Both RevC2 and Venom Loader employ obfuscation to hinder analysis. Venom Loader also uses DLL side-loading.
  • Collection: RevC2 steals cookies, passwords, and takes screenshots.
  • Exfiltration: Stolen data is exfiltrated over the C2 channel.

Subject: Unveiling RevC2 and Venom Loader

Tactics: TA0009 Collection, TA0011 Command and Control, TA0005 Defense Evasion, TA0002 Execution, TA0010 Exfiltration, TA0001 Initial Access, TA0003 Persistence

Technique: T1071.001 Application Layer Protocol: Web Protocols, T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1059.007 Command and Scripting Interpreter: JavaScript, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1555 Credentials from Password Stores, T1140 Deobfuscate/Decode Files or Information, T1041 Exfiltration Over C2 Channel, T1574.002 Hijack Execution Flow: DLL Side-Loading, T1566 Phishing, T1113 Screen Capture, T1539 Steal Web Session Cookie

Procedure:

  • Initial Access: The attack likely begins with a phishing email containing a malicious LNK file (VenomLNK).
  • Execution: The LNK file executes an obfuscated batch script, which downloads and executes various payloads, including RevC2 and Venom Loader. Venom Loader utilizes DLL side-loading and JavaScript for execution.
  • Persistence: Venom Loader establishes persistence by adding a PowerShell script to the autorun registry key.
  • Command and Control: RevC2 uses WebSockets (ws://208.85.17[.]52:8082) for C2 communication, while More_eggs lite uses HTTP POST requests (/api/infos).
  • Defense Evasion: Both RevC2 and Venom Loader employ obfuscation to hinder analysis. Venom Loader also uses DLL side-loading.
  • Collection: RevC2 steals cookies, passwords, and takes screenshots.
  • Exfiltration: Stolen data is exfiltrated over the C2 channel.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked., EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.

Engagement Opportunity:

  • User Education: Conduct security awareness training to educate users about phishing threats and the risks of opening suspicious emails or attachments.
  • Network Monitoring: Deploy network monitoring tools to detect suspicious web traffic patterns associated with RevC2 and More_eggs lite C2 communication.
  • Endpoint Security: Implement endpoint security solutions with capabilities like behavioral analysis and anti-exploitation technologies to detect and prevent the execution of malicious payloads like VenomLNK, RevC2, and Venom Loader.

Threat Actor: Venom Spider (GOLDEN CHICKENS), potentially other cybercriminals utilizing their MaaS tools

Threat Objective:

Gain initial access, establish persistence, steal sensitive data (credentials, cookies), conduct remote code execution, potentially deploy additional malware

Deception Opportunity:

  • Decoy Credentials: Plant decoy credentials within browsers to lure RevC2 and capture the exfiltration attempt, potentially revealing the attacker’s infrastructure.
  • Fake C2 Server: Set up a fake C2 server mimicking the real one to capture C2 traffic from RevC2 and More_eggs lite, allowing for analysis of commands and payloads.
  • Honeypots: Deploy honeypots with vulnerable JavaScript interpreters to attract Venom Loader and observe its execution behavior, capturing deobfuscated payloads and analyzing subsequent actions.

Sensor Data Placement: Application

Observable Level: Core to Some Implementations of (Sub-)Technique

Scoring Rationale:

  • Network traffic patterns associated with web protocols can vary, placing them at “Core to Some Implementations of (Sub-)Technique”.
  • Deobfuscated code is specific to the adversary’s tools, making it “Core to Adversary-Brought Tool”.
  • Registry keys used for persistence can vary, thus “Core to Some Implementations of (Sub-)Technique”.
  • DLL side-loading is a specific technique with identifiable characteristics, making it “Core to Sub-Technique or Technique”.

Observable Level:

  • Network Traffic Patterns: Core to Some Implementations of (Sub-)Technique
  • Deobfuscated Code: Core to Adversary-Brought Tool
  • Registry Keys: Core to Some Implementations of (Sub-)Technique
  • DLL Side-Loading: Core to Sub-Technique or Technique

Link to Report:

Link to Report II.:

Additional Comments:

This attack chain highlights the increasing trend of MaaS, enabling various threat actors to deploy sophisticated malware with ease. Monitoring for and analyzing the TTPs of groups like Venom Spider is crucial for defending against such threats.

Possible elements:

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# RevC2 and Venom Loader Attack Graph

: Initial Access - Phishing [T1566] - Malicious LNK file delivered via email (Not Scored)[1]
: Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003] - Execute obfuscated batch script (Core to Pre-Existing Tool)
: Execution - Command and Scripting Interpreter: JavaScript [T1059.007] - Execute JavaScript payloads (Core to Pre-Existing Tool)
: Persistence - Registry Run Keys / Startup Folder [T1547.001] - Add PowerShell script to autorun key (Core to Some Implementations of (Sub-)Technique)
: Command and Control - Application Layer Protocol: Web Protocols [T1071.001] - Utilize WebSockets and HTTP for C2 communication (Core to Some Implementations of (Sub-)Technique)
: Defense Evasion - Deobfuscate/Decode Files or Information [T1140] - Employ obfuscation to hide malicious code (Core to Adversary-Brought Tool)
: Defense Evasion - DLL Side-Loading [T1574.002] - Utilize DLL side-loading for execution (Core to Sub-Technique or Technique)
: Collection - Credentials from Password Stores [T1555] - Steal passwords from browsers (Core to Sub-Technique or Technique)
: Collection - Steal Web Session Cookie [T1539] - Steal cookies from browsers (Core to Sub-Technique or Technique)
: Collection - Screen Capture [T1113] - Take screenshots (Core to Sub-Technique or Technique)
: Exfiltration - Exfiltration Over C2 Channel [T1041] - Exfiltrate stolen data over C2 (Core to Sub-Technique or Technique)

1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of Endpoint Security)
2 --> 4 (Lack of Endpoint Security)
2 --> 5 (Lack of Network Monitoring)
2 --> 6 (Lack of Anomaly Detection)
2 --> 7 (Lack of Endpoint Security)
3 --> 8 (Lack of Endpoint Security)
3 --> 9 (Lack of Endpoint Security)
3 --> 10 (Lack of Endpoint Security)
5 --> 11 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# RevC2 and Venom Loader Pseudocode

function Initial_Access_Phishing(target_email):
# Craft phishing email with malicious LNK file
# Send email to target_email
return malicious_LNK

function Execution_Command_and_Scripting_Interpreter(malicious_LNK):
# Execute obfuscated batch script
# Download and execute payloads (RevC2, Venom Loader)
return persistence_module, C2_communication_module, collection_module

function Persistence_Registry_Run_Keys_Startup_Folder(persistence_module):
# Add PowerShell script to autorun key
return persistent_access

function Command_and_Control_Application_Layer_Protocol(C2_communication_module):
# Utilize WebSockets and HTTP for C2 communication
# Transmit C2 instructions and receive commands
return obfuscated_payload, exfiltration_instructions

function Defense_Evasion_Deobfuscate_Decode_Files_or_Information(obfuscated_payload):
# Employ obfuscation to hide malicious code
# Deobfuscate payload
return executable_code

function Defense_Evasion_DLL_Side_Loading(executable_code):
# Utilize DLL side-loading for execution
return malicious_activity

function Collection_Credentials_from_Password_Stores(collection_module):
# Steal passwords from browsers
return stolen_passwords

function Collection_Steal_Web_Session_Cookie(collection_module):
# Steal cookies from browsers
return stolen_cookies

function Collection_Screen_Capture(collection_module):
# Take screenshots
return screenshots

function Exfiltration_Exfiltration_Over_C2_Channel(exfiltration_instructions, stolen_data):
# Exfiltrate stolen data over C2 channel
return success

Leave a Reply