Tag: RevC2

• Initial Access: The attack likely begins with a phishing email containing a malicious LNK file (VenomLNK).
• Execution: The LNK file executes an obfuscated batch script, which downloads and executes various payloads, including RevC2 and Venom Loader. Venom Loader utilizes DLL side-loading and JavaScript for execution.
• Persistence: Venom Loader establishes persistence by adding a PowerShell script to the autorun registry key.
• Command and Control: RevC2 uses WebSockets (ws://208.85.17[.]52:8082) for C2 communication, while More_eggs lite uses HTTP POST requests (/api/infos).
• Defense Evasion: Both RevC2 and Venom Loader employ obfuscation to hinder analysis. Venom Loader also uses DLL side-loading.
• Collection: RevC2 steals cookies, passwords, and takes screenshots.
• Exfiltration: Stolen data is exfiltrated over the C2 channel.