ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Venom Spider, Golden Chickens

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Venom Spider, Golden Chickens

NamesVenom Spider (CrowdStrike)
Golden Chickens (QuoINT)
CountryRussia Russia
MotivationFinancial gain
First seen2017
Description(Proofpoint) Since the middle of 2018, Proofpoint has been tracking campaigns abusing legitimate messaging services, offering fake jobs, and repeatedly following up via email to ultimately deliver the More_eggs backdoor. These campaigns primarily targeted US companies in various industries including retail, entertainment, pharmacy, and others that commonly employ online payments, such as online shopping portals.

The actor sending these campaigns attempts to establish rapport with potential victims by abusing LinkedIn’s direct messaging service. In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor supports the campaigns with fake websites that impersonate legitimate staffing companies. These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs.

Taurus Loader has been observed to distribute GandCrab and Sodinokibi (Pinchy Spider, Gold Southfield) and Trickbot (Wizard Spider, Gold Blackburn), as well as their own tool More_eggs.
ObservedSectors: Entertainment, Financial, Pharmaceutical, Retail.
Countries: USA.
Tools usedlite_more_eggs, More_eggs, Taurus Loader, TerraCrypt, TerraPreter, TerraRecon, TerraStealer, TerraTV, TerraWiper, ThreatKit, VenomKit, VenomLNK.
Operations performedFeb 2019Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions
<https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/>
Information<https://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/>
<https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648>
<https://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/>
<https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers>
<https://www.esentire.com/web-native-pages/unmasking-venom-spider>
<https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2>

Last change to this card: 21 June 2023

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]