Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

Takeaways 

• Arctic Wolf® observed a recent campaign by the financially motivated threat group Venom Spider targeting hiring managers with spear-phishing emails.
• The group abuses legitimate messaging services and job platforms to apply for real jobs using fake malicious resumes that drop a backdoor called More_eggs.  
• The backdoor can be used for a wide scope of malicious activities, from credential theft to stealing sensitive customer payment data, intellectual property or trade secrets.  
• Our research found several upgrades that the threat actor made to this malware to infect victims more effectively, and to evade automated analysis techniques like sandboxing.  
• Organizations should train all employees to recognise the red flags of a phishing attack, particularly those working in departments that must regularly open email attachments as part of their daily job duties, for example, Human Resources.    

Summary 

As part of our ongoing tracking of the threat actor TA4557 (also known as Venom Spider), the Arctic Wolf® Labs team discovered a new campaign targeting corporate human resources departments and recruiters. The threat group uses phishing techniques to drop an enhanced version of a potent backdoor called More_eggs onto victim devices. 

 The group has historically targeted industry sectors that use online payment portals or e-commerce sites to do business, which in the past has included the retail, entertainment and pharmacy industries. This change is a tactical step up in terms of targeting, as it puts every almost industry and organisation in the group’s crosshairs due to the one thing they all have in common: the need to hire new employees.  

 In this report, we’ll provide a technical analysis of the campaign, indicators of compromise (IOCs), tips for remediation, and activity detection rules to counter this threat.  

MITRE ATT&CK® Highlights 

Weaponisation and Technical Overview  

Background 

Venom Spider is a financially motivated threat group that has been targeting organizations seeking to fill job vacancies via legitimate third-party sites such as LinkedIn for the last couple of years. Since the advent of COVID, the group has steadily refined their tactics, techniques and procedures (TTPs) to embrace the online hiring boom, targeting the one department in every company that has to open attachments from unknown senders as an everyday part of their job: Human Resources.  

Since at least October 2023, the threat group has escalated this campaign to directly target recruiters and HR managers with weaponized phishing links purportedly from job seekers, which in fact lead to malicious websites hosting poisoned downloads disguised as fake resumes.  

The payload used in the infection chain of this recent activity is the group’s notorious More_eggs malware, a backdoor capable of harvesting sensitive information and carrying out several additional tasks. We discovered and analysed a new campaign by Venom Spider aimed at spreading this backdoor. Our researchers found several upgrades that the threat actor made to this malware to infect victims more effectively, and to evade automated analysis techniques like sandboxing. 

Key Findings  

• Venom Spider continues to use job seekers as a lure targeting HR departments and corporate recruiters in its phishing campaigns. 
• These phishing campaigns utilise the modular backdoor known as More_eggs, which generates malicious payloads crafted for execution exclusively on the individual systems under attack. 
• Server polymorphism is used to deliver these payloads to the victim’s system. 
• We reveal new functionality that we refer to as the More_eggs_Dropper library. This generates malicious JavaScript code polymorphically, featuring several techniques to evade analysis. 

Victimology 

Historically, the money-motivated Venom Spider has focused on U.S-based e-commerce companies or those that use online payment systems, including organisations in industries such as accounting, legal firms, workforce solutions, insurance, energy providers, food suppliers and building suppliers.

More recently, the group has pivoted to target the HR departments of various companies using social engineering techniques such as phishing, for the sake of credential theft and financial gain.  

The recruiters and hiring managers who work in HR departments are often considered to be the weak point in an organisation by attackers, as the very nature of their job means that they must regularly open email attachments (e.g.: resumes and cover letters) emailed to them from external and unknown sources, including job candidates and hiring agencies.   

Attack Vector 

The first stage of execution in this Venom Spider campaign is a spear phishing email sent directly to the victim corporate recruiter or hiring manager. The message contains a link purportedly for the manager to download the job seeker’s resume from an external site. If the manager clicks the link, they are taken to an actor-controlled website from which the recruiter can download a (decoy) resume. On this site, the human user must check a CAPTCHA box, a precaution that helps the site bypass automatic scanners.  

Figure 1: Malicious website offering a fake resume. 

If the victim successfully passes the CAPTCHA test, a zip file is downloaded to their device which the recruiter is lead to believe is the candidate’s resume. Instead, the zip file contains a malicious Windows shortcut (.lnk) file as well as an image file. The .lnk file is the payload for the first stage of the attack chain, while the g.jpg image file is just a distraction.  

The threat actor’s infrastructure that issues the .lnk file supports server polymorphism. What that means is that a new malicious .lnk file will be generated for each individual download, which changes the code obfuscation and file size each time.  

Figure 2: Contents of the zip file “Ryan Berardi.zip” (g.jpg and Ryan Berardy.lnk).

The .lnk file contains an obfuscated .bat script, which performs several actions when the .lnk file is opened. We managed to obtain several LNK files that had different file sizes (11500-11900 bytes) that were generated on the server side. These malicious files all had the same functionality, but they had completely different code obfuscation. 

Figure 3: Obfuscated Windows Command Shell script in the downloaded LNK file. 

The script creates a file called %temp%\ieuinit.inf at the following path and writes obfuscated commands to it.  

Figure 4: Contents of the uinit.inf file.  

The script executes the Windows batch file code below: 

@echo off 
      start "" "%ProgramFiles%\Windows NT\Accessories\wordpad.exe" 
      echo [version] > "%temp%\ieuinit.inf" 
      echo Signature=$CHICAGO$ >> "%temp%\ieuinit.inf" 
      echo [DefaultInstall] >> "%temp%\ieuinit.inf" 
      cacls "%windir%\system32\ie4uinit.exe" /Y /C /Q

When this code is executed, the Microsoft WordPad application is automatically launched in a ploy to distract the user, who is meant to believe the promised resume is being opened. The batch script will then covertly launch the legitimate Windows utility %windir%\system32\ie4uinit.exe, which in turn executes the commands from the file ieuinit.inf.

As configured, the contents of this .inf file will trigger execution of commands within the malicious %temp%\ieuinit.inf file. 

This is a living-off-the-land (LOTL) technique that has been around for a while. The essence of this technique is to use a legitimate application – in this case, ie4uinit.exe – to execute commands and run JavaScript code. Venom Spider has been using the technique of running JavaScript code with different variations for a long time. 

In this instance, the ieuinit.inf file contains the URL of the next step in the attack chain, hxxp://doefstf[.]ryanberardi[.]com/ikskck. A large and heavily obfuscated JavaScript payload is embedded within the HTML code hosted at this location.

      Figure 5: Obfuscated JavaScript code that contains encrypted data (ikskck). 

Introducing the More_eggs_Dropper Library

After running the previous stage received from the remote malicious server, the JavaScript code creates an executable library in the following location:

C:\Users\%username%\AppData\Roaming\Adobe\d{5}.dll

In this article, we will refer to this library as More_eggs_Dropper.   

More_eggs_Dropper is started on the system with the following command:

regsvr32 /s /n /i:Ferc "C:\Users\%username%\AppData\Roaming\Adobe\d{5}.dll"

The More_eggs_Dropper executable library is complex, utilising obfuscated code that generates JavaScript code polymorphically. Execution of the library is time-delayed to evade sandboxing and analysis by researchers. When it is executed, it creates several files in the following directories:

C:\Users\%username%\AppData\Roaming\Adobe\d{9}.txt     # JavaScript launcher
C:\Users\%username%\AppData\Roaming\Adobe\hex{17}.txt  # JavaScript Payload
C:\Users\%username%\AppData\Roaming\Adobe\msxsl.exe

More_eggs_Dropper creates a legitimate Windows msxsl.exe executable to run XML files that may also contain JavaScript code. This technique is known to have been used by Venom Spider in previous campaigns.  

The second file that creates More_eggs_Dropper is a small JavaScript that executes the launch of the main payload located within the JavaScript Payload. After running these scripts, More_eggs_Dropper is quietly removed from the system.

Figure 6: Deobfuscated code of JavaScript launcher.  

The JavaScript payload is the main malicious code in this attack chain.  

The code of this JavaScript is very similar to the loader that also used by Venom Spider called TerraLoader. The threat actor improved this loader and added more string obfuscation and code encryption.   

More_eggs_Dropper cleverly generates a new JavaScript payload each time it runs. The JavaScript executed on victim devices is highly obfuscated, and contains two blocks of encrypted data. This data contains the JavaScript code used in the next layer.   

Decryption of the first JavaScript layer is performed by a hard-coded key (10-20 bytes in size) combined with an additional three bytes, which are obtained by the script through brute force. The threat actor applies this technique for the purpose of evading analysis, which is feasible to the threat actor considering that the last three bytes of the key typically take several minutes to be found through brute force. The code used for encryption is a variation of RC4. 

Payload Decryption

Here is an example of a decryption key for the first encrypted payload:

WJxQNWvJVK866

As previously noted, the last three bytes in this string are obtained through brute force on infected devices. 

During JavaScript generation, More_eggs_Dropper obtains the computer name and %PROCESSOR_IDENTIFER%. It then adds this data to an already known key and uses it as a decryption key for the second layer payload. For example: 

WJxQNWvJVK866Name-PCIntel64 Family 6 Model 142 Stepping 10, GenuineIntel

The technique used to generate this decryption key complicates analysis of this attack, preventing automatic decryption of the payload when executed in a sandbox environment. In practice, it is impossible to obtain the final stage of More_eggs without having encryption keys that are specifically generated for the devices being targeted.

Figure 7: Venom Spider’s JavaScript dropper payload. 

During our analysis, we were able to obtain a final payload of More_eggs, which contained new command-and-control (C2) commands to interact with the malicious server. We were also able to identify the C2 configuration used in this campaign: 

hxxps://tool[.]municipiodechepo[.]org/id/243149

After launching the More_eggs payload, the backdoor collects information about the victim’s system and sends it to a remote server for further processing by the threat actor.   

Next, the backdoor waits for a response from the server, establishing a connection every three minutes. 

 The following C2 commands are supported by the backdoor:  

Based on the C2 commands contained in the backdoor, we assess that threat actors using this backdoor have the ability to run additional JavaScript code or executable files on the victim’s system.  

Figure 8: The configuration of the More_eggs bot specified at the beginning of the file. 

Network Infrastructure 

The network infrastructure utilised by Venom Spider has become disparate and well obfuscated in recent years. In previous More_eggs campaigns, the infrastructure could be tracked to some degree by whois information and hosting providers.  

This current campaign is utilising cloud hosted infrastructure and anonymous domain registration. The threat group has taken the time to use multi-level URLs for C2 communication to avoid scanners like Censys and Shodan. The actors, while using domains that were previously registered, also utilise only subdomains to further impede automated tracking efforts. 

In the current campaign infrastructure, both municipiodechepo[.]org and ryanberardi[.]com have current registrant organisations of “Domains By Proxy, LLC.” Both domains are hosted on Amazon. While the phishing subdomain is still hosted on the Amazon cloud, the malicious C2 subdomain is hosted on a separate service through GoDaddy, at the IP address 208[.]109.231[.]95. 

Attack Flow 

Figure 9: Venom Spider attack flow (click to enlarge).

Remediation 

Due to Venom Spider’s use of social engineering, including the targeting of corporate HR and other hiring staff with realistic-looking job application phishing emails and actor-controlled “resume” websites, organisations that make use of third-party job posting websites (including sites like LinkedIn, Indeed.com and similar) should regularly train employees on identifying and countering spear phishing attacks.  

Employees who work in vulnerable departments such as HR and Recruitment should receive additional training that teaches them to always be extra-wary of attachments that are LNK, ISO, or VBS files. These file-types are often sent as zip files to bypass email filters. Employees should be taught to routinely inspect attachment files by right clicking the file and selecting “Properties” (on Windows) or “Get Info” (on Mac) before opening them. 

In addition, organisations can protect themselves by exercising the following measures:  

• Consider the use of Secure Email Gateway solutions to help proactively filter out malicious emails. 
• Implement an Endpoint Detection and Response (EDR) solution such as Arctic Wolf® Aurora™ Endpoint Security. 
• Ensure all employees throughout the company are aware of good security hygiene practices, including awareness of social engineering. 
• Add or enable a phishing report button in your organisation’s email solution, to empower employees to immediately report suspected phishing emails to your SOC or IT security team. 
• Consider conducting regular internal phishing tests to reinforce security training. 
• Block identified command-and-control infrastructure used in this campaign.  
• Deploy detection rules for More_eggs components.  
• Carefully review logs for indicators of compromise.

How Arctic Wolf Protects its Customers 

Arctic Wolf is committed to ending cyber risk with its customers, and when active campaigns are identified we move quickly to protect our customers.  

Arctic Wolf Labs has leveraged threat intelligence around Venom Spider activity to implement new detections in the Arctic Wolf® Aurora™ Platform to protect customers. As we discover new information, we will enhance our detections to account for additional IOCs and techniques leveraged by this threat actor. 

Conclusion  

Our recent findings suggest that Venom Spider is using the More_eggs backdoor campaign to target Human Resources departments and is highly focused on the long-term survivability of its campaigns.   

The threat actor has demonstrated a continued investment in the development and maintenance of its backdoor infrastructure over time. This is evidenced by the use of sophisticated code obfuscation and code encryption, which improve its stealth and evasiveness against defenders. 

Appendix 

Indicators of Compromise (IOCs) 

List of Targeted Antivirus Processes

This section contains a list of processes the More_eggs backdoor looks for on victim devices. CRC32 hashes are given in decimal format, just as they are found in the backdoor. All processes are components of various antivirus applications. 

The list below shows the names of the processes we were able to decipher from the backdoor.  

Detections

Yara Rules 

rule More_eggs_Dropper {  

meta:
        description = "Rule to detect More_eggs_Dropper"
        last_modified = "2025-04-24"
        author = "The Arctic Wolf Labs team"
        version = "1.0"
        sha256 = "f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016"       

strings:
        $a1 = "Authorities32" ascii wide
        $a2 = "Guards128" ascii wide
        $a3 = "Implications256" ascii wide
        $a4 = "Monster32" ascii wide
        $a5 = "Sphere256" ascii wide          

condition:
uint16(0) == 0x5A4D and filesize < 1MB and ((all of ($a*)))
} 

rule More_eggs_JS_BackDoor {

meta:
  description = "Rule to detect More_eggs_JavaScript"
  last_modified = "2025-04-24"
  author = "The Arctic Wolf Labs team"
  version = "1.0"    

strings:
  $a1 = "var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);"  ascii wide
  $a2 = "function hit_Gate(URL, POSTdata, gResponse, method)"  ascii wide
  $a3 = "function dExec(zURL, myKey, xPE, xEntryP)" ascii wide
  $a4 = "var xCrypted = zzzz4(Rkey + keynow, not_unique) + keynow;" ascii wide
  $a5 = "tmp = 3988292384 ^ tmp >>> 1;"
  $a6 = "cNow !== 3377271179 && cNow !== 3106260013 &&"   

condition:  
  filesize < 1MB and (2 of ($a*)) 
} 

Detailed MITRE ATT&CK® MAPPING  

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.

Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.