 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
APT group: Venom Spider, Golden Chickens| Names | Venom Spider (CrowdStrike) Golden Chickens (QuoINT) | |
| Country |  Russia | |
| Motivation | Financial gain | |
| First seen | 2017 | |
| Description | (Proofpoint) Since the middle of 2018, Proofpoint has been tracking campaigns abusing legitimate messaging services, offering fake jobs, and repeatedly following up via email to ultimately deliver the More_eggs backdoor. These campaigns primarily targeted US companies in various industries including retail, entertainment, pharmacy, and others that commonly employ online payments, such as online shopping portals. The actor sending these campaigns attempts to establish rapport with potential victims by abusing LinkedIn’s direct messaging service. In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor supports the campaigns with fake websites that impersonate legitimate staffing companies. These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs. Taurus Loader has been observed to distribute GandCrab and Sodinokibi (Pinchy Spider, Gold Southfield) and Trickbot (Wizard Spider, Gold Blackburn), as well as their own tool More_eggs. | |
| Observed | Sectors: Entertainment, Financial, Pharmaceutical, Retail. Countries: USA. | |
| Tools used | lite_more_eggs, More_eggs, Taurus Loader, TerraCrypt, TerraPreter, TerraRecon, TerraStealer, TerraTV, TerraWiper, ThreatKit, VenomKit, VenomLNK. | |
| Operations performed | Feb 2019 | Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions <https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/> |
| Information | <https://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/> <https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648> <https://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/> <https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers> <https://www.esentire.com/web-native-pages/unmasking-venom-spider> <https://www.esentire.com/web-native-pages/the-hunt-for-venom-spider-part-2> | |
Last change to this card: 21 June 2023
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |