Security Intelligence
Loading table of contents...
Loading table of contents...
The malware-as-a-service (MaaS) operation known as Golden Chickens has been linked to two more intrusion sets in addition to its primary “more_eggs” malware offering.
Golden Chickens is now offering a new backdoor, dubbed RevC2, capable of stealing cookies and passwords, proxying network traffic, taking screenshots, and facilitating remote code execution (RCE). The backdoor uses WebSockets to communicate with command-and-control (C2) infrastructure.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The MaaS has also been linked to a new loader called Venom Loader, which is designed to launch More_eggs lite, a smaller variant of the original malware that provides RCE capabilities.
Both RevC2 and Venom Loader are deployed using VenomLNK, a tool that provides an initial access vector for the deployment of subsequent payloads. According to cybersecurity researchers, both malware sets have been active from August to October 2024.
Source: The Hacker News
Analysis
Golden Chickens’ malware was recently observed being deployed in a campaign in which human resources recruiters were targeted with trojanized resumes that contained the More_eggs backdoor. HR employees, especially recruitment officers, are often targeted by threat actors since they are used to engaging with legitimate external contacts as part of their duties and functions.
The More_eggs backdoor is designed to harvest credentials, including those for bank, email, and IT-related accounts. Since it’s malware-as-a-service (MaaS), any threat actor who purchases a subscription can use the malware and access its command-and-control infrastructure, typically maintained by the MaaS operator as part of the service.
By expanding its malicious offering, Golden Chickens is showing that it’s no spring chicken when it comes to the MaaS industry.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for emerging threats such as the Golden Chickens MaaS. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these threats pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends organizations scrutinize job application invites sent via email, messaging services such as WhatsApp, and social media and take into consideration that the individuals contacting them could be fake. Organizations should always make efforts to verify the potential candidate’s identity.
Field Effect users are encouraged to submit suspicious emails, including job offers and resumes, to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
