A sophisticated attacker, potentially the “Secret Blizzard” group, has gained access to the network and is actively attempting to establish persistence, evade detection, escalate privileges, and collect sensitive data. They are likely using custom malware with advanced anti-analysis capabilities and are targeting specific systems and data.
Tag: T1555
Unveiling RevC2 and Venom Loader
- Initial Access: The attack likely begins with a phishing email containing a malicious LNK file (VenomLNK).
- Execution: The LNK file executes an obfuscated batch script, which downloads and executes various payloads, including RevC2 and Venom Loader. Venom Loader utilizes DLL side-loading and JavaScript for execution.
- Persistence: Venom Loader establishes persistence by adding a PowerShell script to the autorun registry key.
- Command and Control: RevC2 uses WebSockets (ws://208.85.17[.]52:8082) for C2 communication, while More_eggs lite uses HTTP POST requests (/api/infos).
- Defense Evasion: Both RevC2 and Venom Loader employ obfuscation to hinder analysis. Venom Loader also uses DLL side-loading.
- Collection: RevC2 steals cookies, passwords, and takes screenshots.
- Exfiltration: Stolen data is exfiltrated over the C2 channel.
Exploitation of Firefox and Windows zero-day vulnerabilities
The RomCom threat actors are actively exploiting Firefox and Windows zero-day vulnerabilities to compromise systems, escalate privileges, establish persistence, and exfiltrate sensitive data.