Threat Research

Unmasking VENOM SPIDER

Securonix

Security researchers at eSentire TRU unravel the operator behind Golden Chickens—badbullzvenom—connected to VENOM SPIDER, with links to FIN6, Cobalt Group, and Evilnum. The report details the malware’s modular components, evolving campaigns, and defense recommendations. #GoldenChickens #VenomSpider

Keypoints

  • TRU identifies badbullzvenom as the operator behind Golden Chickens and links him to VENOM SPIDER.
  • Golden Chickens is a MaaS used by FIN6, Cobalt Group, and Evilnum, contributing to multi-billion-dollar losses.
  • Campaigns have leveraged LinkedIn-based social engineering (fake job offers and resumes) to deliver the malware.
  • The malware is modular (More_eggs, TerraLoader, TerraRecon, TerraStealer, TerraTV, TerraPreter, TerraCrypt) and is actively updated.
  • VenomLNK delivers the initial access, with TerraLoader loading additional plugins for capabilities like credential theft and lateral movement.
  • The report highlights a July 2022 bounty incident and ongoing investigations into the operator’s identity and activities.

MITRE Techniques

  • [T1566.002] Spearphishing Link – LinkedIn campaigns targeted corporate employees with fake job offers. Quote: “[corporate employees on LinkedIn being targeted by threat actors using fake job offers].”
  • [T1566.001] Spearphishing Attachment – Fake resumes embedded with malware delivered to hiring managers. Quote: “[fake resumes, of job applicants, laden with malware].”
  • [T1204.002] User Execution – Malicious Link – VenomLNK (.lnk) prompts user action to execute the payload. Quote: “[VenomLNK is a .lnk file (Windows shortcut) sent to victims to instigate User Execution].”
  • [T1105] Ingress Tool Transfer – TerraLoader loads objective-based plugins after initial access. Quote: “[TerraLoader which can then load the individual objective-based plugins].”
  • [T1082] System Information Discovery – TerraRecon performs initial environmental analysis of the infected machine. Quote: “[initial environmental analysis of the infected machine].”
  • [T1059.004] Windows Command Shell – TerraPreter provides a meterpreter shell for manual lateral movement, discovery, and credential theft. Quote: “[a meterpreter shell that allows threat actors to perform actions such as lateral movement, discovery, and credential theft manually].”
  • [T1021.001] Remote Services – TerraTV hijacks TeamViewer for lateral movement. Quote: “[move laterally in the network by hijacking the organization‘s running instance of TeamViewer].”
  • [T1555.003] Credentials in Browser – TerraStealer harvests credentials from browsers and email clients. Quote: “[Harvests credentials and emails from browsers, email clients, and transfer utilities].”
  • [T1486] Data Encrypted for Impact – TerraCrypt provides ransomware encryption payloads. Quote: “[TerraCrypt – An encryption payload for ransomware extortion attacks].”
  • [T1027] Obfuscated/Compressed Files and Information – Golden Chickens binaries and components are obfuscated to evade detection. Quote: “[to make it undetectable by most AV companies]”.
  • [T1059.001] PowerShell – 2017–2019 campaigns removed PowerShell to reduce detection. Quote: “[PowerShell is removed from the attack chain to reduce detection].”

Indicators of Compromise

  • [Domain] context – johnwagen.com, mikelatona.com, liamelston.com, and 8 other domains
  • [IOC Type] VenomLNK SHA256 – 33e5078833aa2caf7dcbae23300c6a4635076625e79f2368871727e895e76d89, 05d9e8a947dbaebb6c3df9889bc2db55f1ba58f18f16a96d105bf9f3438081bb (and 6 more hashes)

Read more: https://www.esentire.com/web-native-pages/unmasking-venom-spider

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint