(Proofpoint) Since the middle of 2018, Proofpoint has been tracking campaigns abusing legitimate messaging services, offering fake jobs, and repeatedly following up via email to ultimately deliver the More_eggs backdoor. These campaigns primarily targeted US companies in various industries including retail, entertainment, pharmacy, and others that commonly employ online payments, such as online shopping portals. The actor sending these campaigns attempts to establish rapport with potential victims by abusing LinkedIn’s direct messaging service. In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor supports the campaigns with fake websites that impersonate legitimate staffing companies. These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs. Taurus Loader has been observed to distribute GandCrab and Sodinokibi ({{Pinchy Spider, Gold Southfield}}) and Trickbot ({{Wizard Spider, Gold Blackburn}}), as well as their own tool More_eggs.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Actor: Venom Spider, Golden Chickens
Names: Venom Spider, Golden Chickens
Country: Russia
Motivation: Financial gain
First-seen: 2017
Description: (Proofpoint) Since the middle of 2018, Proofpoint has been tracking campaigns abusing legitimate messaging services, offering fake jobs, and repeatedly following up via email to ultimately deliver the More_eggs backdoor. These campaigns primarily targeted US companies in various industries including retail, entertainment, pharmacy, and others that commonly employ online payments, such as online shopping portals. The actor sending these campaigns attempts to establish rapport with potential victims by abusing LinkedIn’s direct messaging service. In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor supports the campaigns with fake websites that impersonate legitimate staffing companies. These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs. Taurus Loader has been observed to distribute GandCrab and Sodinokibi ({{Pinchy Spider, Gold Southfield}}) and Trickbot ({{Wizard Spider, Gold Blackburn}}), as well as their own tool More_eggs.
Observed-sectors: Entertainment
Observed-sectors: Financial
Observed-sectors: Pharmaceutical
Observed-sectors: Retail
Observed-countries: USA
Tools: lite_more_eggs
Tools: More_eggs
Tools: Taurus Loader
Tools: TerraCrypt
Tools: TerraPreter
Tools: TerraRecon
Tools: TerraStealer
Tools: TerraTV
Tools: TerraWiper
Tools: ThreatKit
Tools: VenomKit
Tools: VenomLNK
Operations: 2019-02
Operations: Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/
Information: https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers
Information: https://www.esentire.com/web-native-pages/unmasking-venom-spider
Information: https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2
Last-card-change: 2023-06-21
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |