CTI Roundup: Rockstar 2FA, RevC2 and Venom Loader, and SmokeLoader Malware

This week CTI looks at email campaigns which are leveraging a phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA. Next CTI investigates RevC2 and Venom Loader – two new malware families which were deployed in campaigns between August and October 2024. Finally, CTI explores a recent attack involving the notorious SmokeLoader malware.

1. Rockstar 2FA targets Microsoft 365 users

Trustwave is warning about email campaigns that leverage Rockstar 2FA, which is an updated version of the DadSec/Phoenix phishing service.

The campaign leverages an adversary-in-the-middle (AiTM) technique to steal credentials and cookies, which makes MFA-protected vulnerable to attacks.

Campaign overview

Trustwave researchers have been tracking a large phishing campaign that peaked in August 2024 and is still active today. The campaign leverages an AiTM attack which enables the actor to intercept credentials and cookies. This campaign targets Microsoft user accounts with pages that mimic the Microsoft 365 login. Trustwave notes that this campaign includes car-themed web pages, leading them to identify more than 5,000 car-themed domains linked to the campaign.

Rockstar 2FA PhaaS

The campaign is associated to the Rockstar 2FA phishing kit. Marketing and communications for Rockstar 2FA were observed on ICQ, Telegram, and Mail[.]ru. The phishing kit features multifactor bypass, cookie harvesting, antibot protection, login themes, randomized source code and attachments, fully undetectable (FUD) links, and more.

Email campaigns

The emails in these campaigns are delivered in a few different ways including compromised accounts, spamming tools, and the abuse of legitimate platforms. The actor uses a range of themes and lures in the emails including document and file sharing notifications, HR/payroll related messages, IT department notifications, password related alerts, and more.

Trustwave observed the actor using various techniques to bypass antispam detections like obfuscation, FUD links, and QR codes, among others. The links in the emails lead to a phishing landing page or a car-themed site depending on the response from the AiTM server. Visitors to the page receive a Cloudflare Turnstile challenge, which actors often use to evade automated analysis.

AiTM phishing page

The phishing page is retrieved after going through the Cloudflare Turnstile challenge. Trustwave believes that there are checks in place to determine if the phishing page or the car-themed decoy page should be displayed to the user.

The phishing page will collect data the user inputs and send it to the AiTM server. These credentials can then be used to obtain the session cookie.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Trustwave sums up the severity of this threat nicely, stating that “commodity phishing attacks, such as campaigns linked to the Rockstar 2FA PaaS platform, continue to be prevalent due to their low cost and ease of deployment.”

The actor behind these campaigns is using Rockstar 2FA in addition to the AiTM technique, which increases its chances of success and paves the way for future attacks using stolen credentials. Looking ahead, the Rockstar 2FA toolkit will receive additional updates and usage.

2. Threat actors deploy RevC2and Venom Loader malware

Zscaler identified two new malware families, RevC2 and Venom Loader, which were deployed in campaigns between August and October 2024.

Both malware families were deployed via malware-as-a-service (MaaS) tools from an actor known as Venom Spider. The Venom Loader family is customized for each victim.

Campaign 1: API documentation lure results in RevC2

The first campaign took place between August and September and used an API documentation lure to deliver its payload (RevC2). Distribution remains unknown, but the first stage of the attack starts with a file called VenomLNK. This file contains a batch script that will download an image file that is the API documentation lure.

VenomLNK will execute a command to trigger the execution of RevC2. RevC2 will only execute malicious software if various checks are passed that reveal it is not executing in a sandbox environment. RevC2 will also use WebSockets for C2 communication. The malware is capable of many things including stealing passwords, executing shell commands, taking screenshots, proxying traffic, stealing cookies, and executing commands as a different user.

Campaign 2: Crypto lure results in Venom Loader

The second campaign took place from September to October and used a crypto transaction lure to deliver Venom Loader. Venom Loader will, in turn, load a JavaScript backdoor called More_eggs lite. This will provide the actor with remote code execution capabilities.

As with the first campaign, the method of distribution is unknown. However, researchers have confirmed that first stage of the attack starts with VenomLNK file which contains an obfuscated batch script and downloads and displays the crypto lure image. The malware downloads a zip file, unzips it, and sideloads a malicious DLL that will execute Venom Loader.

The DLL is custom built for each of the victims, using the computer name of the victim to encode the payload. Venom Loader is then used to load the More_eggs lite backdoor which will send HTTP POST requests in a loop to the C2.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The Venom Loader malware family is particularly interesting since it’s customized for each victim, which isn’t very common.

It’s possible that we will see additional threat actors using these two malware families, when considering they were deployed via Venom Spider MaaS tools which are popular among notorious threat groups. As Zscaler points out, it’s also likely that these malware families will evolve to include additional features.

3. SmokeLoader malware reappears after a decline

Researchers recently observed an attack that that used the notorious SmokeLoader malware.

SmokeLoader activity significantly declined after Europol took down the infrastructure of several major malware families back in May 2024, making the malware’s resurgence noteworthy.

Overview and attack flow

In September, Fortinet observed the SmokeLoader campaign targeting companies in Taiwan. Companies across multiple verticals were attacked including healthcare, manufacturing, IT and other sectors.

SmokeLoader malware is known for its versatility and evasion techniques. The malware serves as a downloader to deliver additional malware and, in this case, downloads plugins from its C2 server.

SmokeLoader and phishing

The attack starts with a phishing email that contains an attachment. The attached file pretends to be a quote that includes special instructions. Fortinet believes these emails may have been copies from somewhere because the recipient’s name is not changed when sent to other organizations. Additionally, the email signature has a different font, color, and telephone number from the body of the email.

Exploiting vulnerabilities

The attack chain will initially use different vulnerabilities, but still ends up in AndeLoader. The first vulnerability it is observed using is CVE-2017-0199 which is a Microsoft Office vulnerability that will exploit an OLE2-embedded link object. The other vulnerability, CVE-2017-11882, is a remote code execution Microsoft Office vulnerability.

AndeLoader

The actor ends up using AndeLoader, regardless of which vulnerability they use. This malware starts with a VBS file that is full of junk code to hide the true malicious code. This code will download a steganographic JPG file containing data of the injector. The injector is simple and not obfuscated. It will establish persistence and perform the injection for SmokeLoader.

SmokeLoader’s plugins

The actor’s C2 server distributes nine plugins, which include three individual plugins and three containing 32-bit and 64-bit versions. The plugins enable the actor to steal login credentials, FTP credentials, email addresses, cookies, and more from various web browsers, Outlook, Thunderbird, FileZilla, and WinSCP.

Analyst comments from Tanium’s Cyber Threat Intelligence team

SmokeLoader has always been advanced and adaptable. Fortinet’s observations further demonstrate the malware’s sophistication, especially as part of its infrastructure (1,000+ C2 domains) were previously taken down by law enforcement.

That said, this campaign relies on vulnerabilities that are a few years old, which makes its overall level of success questionable. It will be interesting to see if SmokeLoader starts to leverage more recent exploits as time goes on.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.