Threat Research

Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims – Arctic Wolf

iocOne
Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims – Arctic Wolf
EXTRACT IOC
The Venom Spider threat group is now targeting HR departments with spear-phishing attacks using malicious resumes to deliver the More_eggs backdoor, enhancing their malware to evade detection. Companies should bolster employee training to recognize phishing attempts.
Affected: HR departments, corporate recruiters

Keypoints :

  • Venom Spider targets hiring managers through spear-phishing emails.
  • Malicious resumes drop the More_eggs backdoor for credential theft and data extraction.
  • Upgrades to the malware improve infection effectiveness and evade detection.
  • Organizations should train employees to recognize phishing signs, especially in HR roles.
  • The group has expanded its targeting due to the shift towards online hiring.

MITRE Techniques :

  • T1566.002 – Spear-phishing Link: Users receive malicious links.
  • T1204.002 – User Execution: Users execute a .lnk file to run malicious code.
  • T1059.003 – Windows Command Shell: Launch cmd.exe via the .lnk file.
  • T1059.007 – JavaScript: Execute a chain of JavaScript.
  • T1547.001 – Registry Run Keys: Modify registry for persistence.
  • T1497.003 – Time Based Evasion: Utilize meaningless code execution.
  • T1027.010 – Command Obfuscation: Employ command obfuscation for evasion.
  • T1027.013 – Encrypted/Encoded File: Use RC4 encryption for code obfuscation.
  • T1027.014 – Polymorphic Code: Generate varying malicious code to avoid detection.
  • T1105 – Ingress Tool Transfer: Transfer tools like JavaScript and executables.
  • T1071.001 – Web Protocols: Communicate with the victim system through web protocols.
  • T1573.001 – Symmetric Cryptography: Use RC4 for data encryption before transmission.
  • T1518.001 – Security Software Discovery: Identify security processes on the victim’s system.
  • T1016.001 – Internet Connection Discovery: Periodically check the internet connectivity of the compromised system.

Indicator of Compromise :

  • [SHA-256] F7A405795F11421F0996BE0D0A12DA743CC5AAF65F79E0B063BE6965C8FB8016
  • [MD5] EC103191C61E4C5E55282F4FFB188156
  • [URL] hxxp://doefstf[.]ryanberardi[.]com/ikskck
  • [URL] hxxps://tool[.]municipiodechepo[.]org/id/243149
  • [File Name] 38754.dll

 

Full Story: https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/

Views: 79

Tags: PERSISTENCE, PAYLOAD, BACKDOOR, CLOUD, PROXY, SOCIAL ENGINEERING, DISCOVERY, FINANCIAL