Threat Group Cards: A Threat Actor Encyclopedia

APT group: Venom Spider, Golden Chickens

Names	Venom Spider (CrowdStrike) Golden Chickens (QuoINT)
Country	Russia
Motivation	Financial gain
First seen	2017
Description	(Proofpoint) Since the middle of 2018, Proofpoint has been tracking campaigns abusing legitimate messaging services, offering fake jobs, and repeatedly following up via email to ultimately deliver the More_eggs backdoor. These campaigns primarily targeted US companies in various industries including retail, entertainment, pharmacy, and others that commonly employ online payments, such as online shopping portals. The actor sending these campaigns attempts to establish rapport with potential victims by abusing LinkedIn’s direct messaging service. In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor supports the campaigns with fake websites that impersonate legitimate staffing companies. These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs. Taurus Loader has been observed to distribute GandCrab and Sodinokibi (Pinchy Spider, Gold Southfield) and Trickbot (Wizard Spider, Gold Blackburn), as well as their own tool More_eggs.
Observed	Sectors: Entertainment, Financial, Pharmaceutical, Retail. Countries: USA.
Tools used	lite_more_eggs, More_eggs, Taurus Loader, TerraCrypt, TerraPreter, TerraRecon, TerraStealer, TerraTV, TerraWiper, ThreatKit, VenomKit, VenomLNK.
Operations performed	Feb 2019	Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions <https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/>
Information	<https://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/> <https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648> <https://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/> <https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers> <https://www.esentire.com/web-native-pages/unmasking-venom-spider> <https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2>

Last change to this card: 21 June 2023

Download this actor card in PDF or JSON format

Previous: Vendetta, TA2719
Next: Vicious Panda