Malware
Trend Micro MDR (Managed Detection and Response) team swiftly countered a more_eggs infection. Leveraging Vision One, MDR showcased the use of Custom Filters/Models and Security Playbook to automate responses to more_eggs and analogous risks.
Read time: ( words)
Summary
- An advanced spear-phishing approach duped a hiring officer into downloading and executing a fraudulent file camouflaged as a CV, resulting in a more_eggs backdoor contamination.
- Trend Micro MDR (Managed Detection and Response) team utilized the Vision One platform to segregate the impacted endpoint and intercept the corresponding IOCs, effectively halting the contamination.
- It was highlighted that customized Filters/Models tailored to detect the threat can be established on Vision One. These models can then be transmitted to a Security Playbook to automate the response to an alert.
- Our evaluation unveiled that this incident is linked to recent campaigns that have been initiated utilizing the more_eggs malware, which is part of Golden Chicken toolkit.
A client’s talent hunt resulted in their hiring officer downloading a bogus curriculum vitae and mistakenly executing a malicious .LNK file, culminating in a more_eggs infection. More_eggs is a JScript backdoor that belongs to the Golden Chickens malware-as-a-service (MaaS) toolkit. It’s known to be employed by financially motivated threat actors such as FIN6 and the Cobalt Group to target financial and retail institutions. It communicates with a fixed command-and-control (C&C) server to download and execute additional payload, such as an infostealer and ransomware.
Using the Vision One platform, Trend Micro MDR (Managed Detection and Response) team rapidly identified and suppressed the threat, averting potential data exfiltration or encryption.
Technological information
Initial entry
An email with malicious intent was allegedly sent by “John Cboins” using a Gmail account to a high-ranking executive within the organization (See Figure 2). The email did not contain any attachments or web links. Further scrutiny indicated that a response was sent to the email, but no significant events followed. At this juncture, there is suspicion that the attacker was aiming to build trust with the user.
Figure 2 was retrieved from the company’s Vision One instance via the following:
- Exploration method: Email and Collaboration Activity data
- Exploration query: *John Cboins*
Shortly after, an individual in the recruitment department downloaded a purported resume named John Cboins.zip from a weblink using Google Chrome (See Figure 3). The source of this weblink was not identified. Nonetheless, both users’ actions indicated a search for an internal sales engineer.
Figure 3 was obtained from the company’s Vision One instance through the following:
- Exploration method: Endpoint Activity data
- Exploration query: eventSubId: 603 AND *John Cboins*
At the time of analysis, the weblink was still functional. It appeared to be a standard website of an employment applicant (See Figure 4) that even integrates a CAPTCHA test (See Figure 5). Initially, the website seemed innocuous, potentially fooling an unwary recruitment personnel.
Action
The ZIP archive contains John Cboins.lnk and 6.jpeg, as illustrated in Figure 6.
The LNK file holds obscured commands, transmitted as arguments to cmd.exe (See Figure 7). These concealed commands execute when the user double-clicks on the LNK file.
Avoidance of detection
Once decoded, its actions become evident, as depicted in Figure 8: It generates ieuinit.inf outside %windir% (Figure 9), which hosts the location of a script component (SCT) file, hxxp://36hbhv.johncboins[.]com/fjkabrhhg. It additionally duplicates ie4uinit.exe, the IE Per-User Initialization Utility, outside %windir% and executes this with a –basesettings switch via the WMI Command-Line (WMIC) Utility. The usage of this LOLBin has been previously recorded by cybersecurity researchers.
The resulting chain of tasks that originates from the running of John Cboins.lnk can be easily observed utilizing Trend Micro Vision One™ (Visual 10).
Running the SCT code from hxxp://36hbhv.johncboins[.]com/fjkabrhhg leads to the fetching and execution of the malicious 38804.dll through regsvr32.exe, the Microsoft Register Server (Visual 11).
This DLL document is accountable for depositing the more_eggs starter (D30F38D93CA9185.txt) and the more_eggs backdoor (765BBCA08C0E9CB6.txt), depicted below in Visual 12. It also deposits msxsl.exe, an official binary acknowledged as Microsoft’s Command Line Transformation Utility, which is used to run the more_eggs backdoor (Visual 13).
Visual 12 was obtained from the client’s Vision One instance utilizing the following:
- Exploration process: Endpoint Activity data
- Exploration inquiry: eventSubId:101 AND processCmd:*38804.dll*
Visual 13 was acquired from the client’s Vision One instance using the following:
- Exploration process: Endpoint Activity data
- Exploration inquiry: eventSubId: 2 AND (processCmd:*msxsl.exe* OR objectCmd:*msxsl.exe*)
Sustainability
The DLL document additionally establishes a durability under HKCUEnvironment, as revealed in Visual 14. The registry entity UserInitMprLogonScript is adopted to launch the more_eggs starter (D30F38D93CA9185.txt) using cscript.exe, the Microsoft Console Based Script Host, upon user login to the network (Visual 15). This is an older characteristic of Windows, particularly in Active Directory settings, that enables administrators to design a login script that initiates when a user session begins. This methodology can also be prominently observed using Vision One (Visual 16).
Exploration
The backdoor named more_eggs (765BBCA08C0E9CB6.txt) initially inspects its operating environment to determine its authorization level. It also verifies the presence of necessary components by examining the entities displayed in Illustration 17.
It also conducts a system familiarity audit (Illustration 18) by running the subsequent commands through WMI:
- Inquires about the version of notepad.exe
- Obtains a list of IP addresses for active network adapters on the system
- Fetches a roster of all currently operational processes on the system
- Acquires the default startup configurations for processes
- Gathers details about the processes
-
Runs a performance monitoring command utilizing typeperf.exe, a command line performance monitor, to assess the number of processes waiting for CPU time every 120 seconds, capturing it once. The 120-second interval is likely employed for avoidance of defensive measures.
Command and Power
Subsequently, it establishes communication with its command-and-control (C&C) server (hxxps://webmail.raysilkman[.]com) via the IServerXMLHTTPRequest2 interface facilitated by the Microsoft XML (MSXML) library, illustrated in Illustrations 19 and 20.
Trend MDR promptly responded by quarantining the infected host through Vision One Endpoint Quarantine (Illustration 21). A quarantined endpoint will have all its ports sealed, except those essential for interacting with Vision One. This presents a swift and efficient method to restrict an infection.
Moreover, some of the initial signs observed were barred, thus safeguarding other endpoints without necessitating an official remedy – like an anti-malware design – to be issued (Illustration 22).
Missions
More_eggs has been detected in assaults as early as 2017. Trend Micro’s study outlines its application against Russian enterprises, including financial institutions and mining companies. These offensives commonly involved fraudulent schemes with malevolent documents (.doc, .xls) embedding JavaScript and PowerShell scripts.
In 2019, IBM X-Force IRIS also published insights on more_eggs targeting multinational corporations, where assailants leveraged LinkedIn and email to entice workers with bogus job propositions, guiding them to malicious domains. These sites hosted ZIP archives containing a Windows Script File (WSF) that triggered the contagion.
A 2023 analysis by Securonix Threat Research discovered more_eggs focusing on individuals in the financial sector. Phishing emails directed victims to download ZIP archives masquerading as images,Commencing the contamination. In June 2024, the eSentire’s Threat Response Unit stated that cyber attackers pretended to be job seekers on LinkedIn, leading recruitment personnel to a fabricated resume website where a harmful LNK file was accessed, leading to an infection.
The incident mentioned in this blog post is believed to be part of an operation utilizing the more_eggs malware, which is associated with the Golden Chickens toolkit. This toolkit is disseminated by Venom Spider, an illicit malware provider also recognized as badbullzvenom.
Diverse Campaigns
Uploads on VirusTotal from August 1 to September 10 of LNK files with similar patterns hint at a recent or ongoing initiative employing the Golden Chickens suite. Analyzing these VirusTotal samples reveals two versions of this initiative (Figure 23). The scenario outlined earlier in this blog post seems to be linked to Initiative 2. Both strategies incorporate social engineering ploys based on published accounts.
Initiative 1
- LNK file titles: Usually named after a snapshot or document, albeit names can differ (Figure 24).
- Secrecy technique: Employs string swapping for secrecy measures (Figure 25). This approach constructs intricate instructions by swapping parts of the instruction with predetermined variables.
- Added scripts: Integrates other scripts such as PS1, VBS, among others, in the assault sequence.
Another affected target belongs to the hospitality sector. In this instance, the attack involved an ActiveX Control file C:Users<user>AppDataRoaming64221.ocx and seems connected to Campaign 1.
Initiative 2
- LNK file titles: Named after an individual (Figure 26).
- Secrecy technique: Deploys variable swapping for secrecy measures (Figure 27). This method substitutes placeholders with specific values to generate the final instruction.
- Added scripts: Omits PS1, VBS, and similar items in the attack sequence.
Targeted Industries
The sectors being targeted vary, but a common theme emerges: the victims are usually linked to financial resources or hold positions that hackers could exploit to unearth valuable assets and yield greater financial rewards. For instance, the Securonix document similar to Campaign 1 from last year focused on individuals in the financial sector, while accounts from IBM X-Force IRIS and eSentire aligned with Campaign 2 aimed at recruiters within multinational firms.
In our present case, the victim operates in the engineering field and serves in a recruitment capacity as a lead talent scout, while the bogus applicant targeted a sales engineering role, indicating the hackers may be after positions that promise substantial financial gains.
In a separate incident involving a victim from the hospitality sector, occurring a week following our case, the exact role of the victim is unclear, but both instances share a common C&C infrastructure.
Assignment of Blame
Assigning responsibility for these assaults is complex due to the nature of MaaS, which enables the outsourcing of different assault components.
and structure. This presents challenges in identifying specific threat actors, as multiple factions can utilize the same toolkits and infrastructure provided by services akin to those offered by Golden Chickens.
Nevertheless, the maneuvers, methods, and practices (MM&Ps) we witness suggest that the initial infiltration may be associated with FIN6, a threat faction known for targeting financial establishments and displaying a propensity for changing strategies over time. Recent accounts and evaluations propose that FIN6 has adjusted its approaches, transitioning from assuming the guise of counterfeit recruiters to now pretending to be fabricated job applicants. While this correlation lacks certainty, the observed strategies in the initial infiltration correspond with tendencies linked to FIN6.
Vision One Security Playbook
Even though more_eggs is a recognized malware that standard anti-malware solutions should have addressed, threat actors are continuously devising inventive methods to infiltrate systems. Due to numerous variables – encompassing an entity’s operational requirements, human error, and potential misconfigurations – there persist risks of such an occurrence. For patrons of Trend Micro MDR, this shouldn’t pose an issue as security professionals constantly oversee the network. Nonetheless, in scenarios where maintaining constant vigilance over alerts may not be feasible, a potential solution is the utilization of a Vision One Security Playbook. This functionality empowers users to automate a diverse array of operations, reducing manual response time to alerts and enabling more focus on other critical tasks.
To construct an Automated Response Playbook, the subsequent components are necessary:
- Trigger – Automatic or manual (initiated from Workbench)
- Target – Detection Model (aggregation of regulations identifying suspicious/malicious activities) or Notable Items (SHA-1, URL, domain, IP address, host)
- Action – Inclusion of items in block list, quarantine/eradicate emails, acquire files, submit files/URLs for Sandbox Analysis, terminate process
In this specific occurrence, the Trigger was set as Automatic or manual (Executed from Workbench). This implies that the initiation of playbook execution is automatically prompted by Workbench alerts while manual triggering is also viable. Concerning the Target, as threat actors can conveniently modify their malware and toolkits, utilizing Notable Items proves less effective. Instead, the utilized Detection Models activated by the infiltration were incorporated (Figure 28).
Activation of Detection Models occurs during the latter stages of the malware’s infiltration sequence:
- Logon Script in UserInitMprLogonScript Registry Entry – activated by the establishment of registry persistence
- CScript Or JScript Set in Registry For Persistence – activated by the establishment of registry persistence
- [Heuristic Attribute] Potential Boot or Logon Autostart Execution – activated by the establishment of registry persistence
- [Heuristic Attribute] Potential Modify Registry Behavior – activated by the establishment of registry persistence
- Backdoor Data Collection via JScript – activated by the utilization of the more_eggs backdoor (765BBCA08C0E9CB6.txt) via msxsl.exe
Preferably, it is advisable to leverage detection models triggered during the initial phases of infiltration. In this scenario, none exist yet, thus a Custom Detection Model was established. In the context of Vision One, a Filter encompasses criteria to detect suspicious/malicious actions; a Regulation is a compilation of Filters; and a Model is an assortment of Regulations. In certain instances, a Model may consist of a solitary Regulation or Filter.
Due to the malware utilizing LOLBin ie4uinit.exe to deploy a specially designed ieuinit.inf, the subsequent criteria were adopted for the Custom Filters:
- [Custom Filter] ie4uinit.exe copied outside %windir% (Figure 29)
- [Custom Filter] potentially malicious ieuinit.inf created outside %windir% (Figure 30)
![Figure 29. [Custom Filter] ie4uinit.exe copied outside %windir%](/content/dam/trendmicro/global/en/research/24/i/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching/MDR_More_eggs_Backdoor-Fig29.jpg)
![Figure 30. [Custom Filter] potentially malicious ieuinit.inf created outside %windir%](/content/dam/trendmicro/global/en/research/24/i/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching/MDR_More_eggs_Backdoor-Fig30.jpg)
In response, both Custom Filters were integrated as prerequisites for the Custom Model featured below in Figure 31.
![Figure 31. [Custom Model] more_eggs | ie4uinit.exe and ieuinit.exe created outside %windir%](/content/dam/trendmicro/global/en/research/24/i/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching/MDR_More_eggs_Backdoor-Fig31.jpg)
This Custom Model was employed as the Target for the Security Playbook (Figure 32). In the event of this model being activated, a corresponding array of measures will be implemented (Figure 33).
Regarding the Action part, the following options were chosen:
- Add items to block list
- Gather documents
- Submit file items for Sandbox Analysis
- Send URL items for Sandbox Analysis
- End processes
- Isolate endpoints
An overview of the Security Playbook in Image 34 demonstrates that the Trigger is set to Automatic or Manual, there’s only one Aim model (predetermined as the Custom Model earlier), and a series of Actions were set up.
This Security Playbook was put to the test in a simulated environment by executing the same LNK file. It took a total of nine minutes and 30 seconds to run the entire playbook (Image 35), with all the actions proving successful (Image 36).
Final Thoughts
This instance with the more_eggs malware attack reveals the rising complexity of contemporary cyber dangers and the intricacies associated with their identification. Our inquiry found that this incident aligns with one of two recent campaigns employing the more_eggs malware, with methodologies overlapping those of the threat entity FIN6. Nonetheless, pinpointing exact attribution poses challenges due to Malware as a Service (MaaS), which blurs distinctions between various threat agents. The advanced social engineering tactics employed – like an authentic-looking website and a malicious file camouflaged as a CV to trigger the infection – underscore the vital importance for enterprises to maintain constant watchfulness. It is critical for defenders to deploy robust threat identification measures and cultivate a climate of cyber awareness to effectively counter these evolving risks.
Our MDR squad thwarted this threat utilizing the Vision One platform, preventing the malware from advancing to a stage where it could unleash its malicious payload and exfiltrate or encrypt customer data. Their comprehensive strategy involved isolating endpoints and preemptively blocking identified indicators to minimize the impact of the attack.
As explained in this documentation, Custom Detection Models offer an additional layer of defense by enabling automated real-time responses to future threats. The incorporation of real-time monitoring, automated responses, and proactive threat intelligence facilitated by Vision One in this incident emphasizes the pivotal role these solutions play in mitigating the risk of succumbing to such breaches.
Signs of Compromise (SoCs)
SHA-256 Hashes
| SoC | Detection | Description |
| 5131dbacb92fce5a59ac92893fa059c16cf8293e9abc26f2a61f9edd | John Cboins.zip – ZIP file housing ‘John Cboins.lnk’ and 6.jpg | |
| 624afe730923440468cae991383dd1f7be1dadf65fa4cb2b21e3e5a9 | Trojan.LNK.MOREEGGS.B | John Cboins.lnk – LNK file integrating obfuscated command |
| ccf8276b55398030b6b7269136c5ee26a5c422d68793dc9ec5adee79a057c7f4 | 6.jpg – Locked JPG file potentially harboring obfuscated command | |
| f2196309bc97e22447f6e168a9afbbb4291edd1cca51bf3789939c3618a63ec0 | c:Users<user>AppDataLocalTempieuinit.inf – Malicious INF file loaded by ie4uinit.exe (IE Per-User Initialization Utility) | |
| 3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271 | C:Users<user>AppDataRoamingAdobe38804.dll – Malicious DLL file crafted by ie4uinit.exe and executed by regsvr32.exe | |
| 3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271 | C:Users<user>AppDataRoamingAdobe39220.dll – Suspicious DLL file created by ie4uinit.exe and executed by regsvr32.exe | |
| d207aebf701c7fb44fe06993f020ac3527680c7fa8492a0b5f6154ca | TrojanSpy.JS.MOREEGGS.A | C:Users<user>AppDataRoamingMicrosoftD30F38D93CA9185.txt – more_eggs launcher |
| 17ac712a84af8e5c7906bff6e1662a5278d33fa36f1c13fcf788 | TrojanSpy.JS.MOREEGGS.A | C:Users<user>AppDataRoamingMicrosoft765BBCA08C0E9CB6.txt – more_eggs backdoor |
URLs
| IoC | Detection | Description |
| hxxps://1212055764.johncboins[.]com/some/036e91fc8cc899cc20f7e011fa6a0861/sbosf | Risky – Disease Spreader | Direct download for ‘John Cboins.zip’ |
| hxxp://36hbhv.johncboins[.]com/fjkabrhhg | Risky – Malware Associate | ie4uinit.exe mentioning harmful ieuinit.inf linked to this web address |
| hxxps://webmail.raysilkman[.]com | Risky – C&C Connection | Command and Control server |
Email Address
| IoC | Description |
| fayereed11@gmail[.]com | Origin of the targeted phishing email |
Registry
| IoC | Description |
| HKCUEnvironment /t 1 /v userinitmprlogonscript /d cscripT -e:jsCript “%APPDATA% MicrosoftD30F38D93CA9185.txt” | Persistent Registry entry created by regsvr32.exe |
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
