Unveiling RevC2 and Venom Loader

    Wednesday, December 4, 2024 In: Threat Research Print

    Date: 12/04/2024

    Severity: High

    Summary

    Between August and October 2024, ThreatLabz identified campaigns deploying two new malware families: RevC2 and Venom Loader. These were distributed via Venom Spider’s malware-as-a-service (MaaS) tools. RevC2 utilizes WebSockets for command-and-control (C2) communication and is capable of stealing cookies and passwords, proxying network traffic, and enabling remote code execution (RCE). Venom Loader, a custom malware loader, encodes its payload using the victim’s computer name for a tailored attack.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    http://170.75.168.151:8080/transaction.pdf.lnk/

    ws://208.85.17.52:8082

    ws://nopsec.org:8082/

    http://65.38.121.211/api/infos

    Hash :

    9b0b58aa10577244bc0e174d588ffa8d34a54a34c1b59371acba52772b584707

46a982ec4ea400f8df403fa8384e1752dca070bd84beef06284f1d412e159e67

cf45f68219c4a105fffc212895312ca9dc7f4abe37306d2f3b0f098fb6975ec7

153cd5a005b553927a94cc7759a8909bd1b351407d8d036a1bf5fcf9ee83192e

8e16378a59eb692de2c3a53b8a966525b0d36412bfd79c20b48c2ee546f13d04

f93134f9b4ee2beb1998d8ea94e3da824e7d71f19dfb3ce566e8e9da65b1d7a2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    userdomainname like "http://65.38.121.211/api/infos" or url like "http://65.38.121.211/api/infos" or userdomainname like "http://170.75.168.151:8080/transaction.pdf.lnk/" or url like "http://170.75.168.151:8080/transaction.pdf.lnk/" or userdomainname like "ws://208.85.17.52:8082" or url like "ws://208.85.17.52:8082" or userdomainname like "ws://nopsec.org:8082/" or url like "ws://nopsec.org:8082/"

    Detection Query 2 :

    sha256hash IN ("f93134f9b4ee2beb1998d8ea94e3da824e7d71f19dfb3ce566e8e9da65b1d7a2","cf45f68219c4a105fffc212895312ca9dc7f4abe37306d2f3b0f098fb6975ec7","153cd5a005b553927a94cc7759a8909bd1b351407d8d036a1bf5fcf9ee83192e","9b0b58aa10577244bc0e174d588ffa8d34a54a34c1b59371acba52772b584707","46a982ec4ea400f8df403fa8384e1752dca070bd84beef06284f1d412e159e67","8e16378a59eb692de2c3a53b8a966525b0d36412bfd79c20b48c2ee546f13d04")

    Reference:  

    https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader


    Tags

    MalwareRevC2VenomMaaS

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.