More_eggs malware is a sophisticated backdoor Trojan threat that is being offered in a MaaS (Malware-as-a-Service) scheme. The developer of the threat is believed to be the Golden Chickens hacker group and they have been able to attract several major APT (Advanced Persistent Threat) groups as clients including FIN6, Evilnum, and the Cobalt Group. The malicious capabilities of More_eggs allow the threat to remain mostly undetected while allowing the particular hacker group to escalate the attack by downloading different end-stage malware payloads in accordance with their specific goals.
Fake Job Offer Emails Spread More_eggs Backdoor
The initial compromise vector in the more_eggs attack campaigns is usually a targeted spear-phishing email that carries a weaponized file attachment. The latest operation involving this backdoor threat was uncovered by the research team at eSentire. According to their findings, a so-far unidentified hacker group has begun targeting high-ranking employees with fake job offers. The malicious zip file attached to the email is named after a job position taken from the specific target's LinkedIn profile. For example, if the chosen user's job is listed as Senior Product Manager on LinkedIn then the zip file would take the exact wording and add 'position' to it - 'Senior Product Manager - position.' Opening the archive initiates the installation process of the fileless more_eggs Trojan.
The installation process of more_eggs goes through multiple stages and several intermediate loaders. In the first step, by interacting with the file delivered through the spearphishing email, the victim actually runs VenomLNK, an initial stage of the more_eggs Trojan. VenomLNK abuses Windows Management Instrumentation to enable the next-stage plugin loader named TerraLoader. In turn, TerraLoader hijacks the legitimate Windows processes cmstp and regsvr32. To mask the nefarious activities going on in the background, at this point the threat presents its victim with a decoy Word document designed to appear as a legitimate work application. Meanwhile, TerraLoader proceeds with its tasks by installing msxsl in the targeted user's roaming profile and loads a new payload named TerraPreter from an ActiveX control file fetched from Amazon Web Services.
The next stage of the attack sees the newly established TerraPreter payload starting to beacon to a Command-and-Control (C2, C&C) server through the weaponized copy of mxsxl. The beacon alerts the threat actor that more_eggs is fully established onto the victim's system and is ready to proceed. The hackers can then instruct the threat to download and execute end-stage payloads like ransomware and infostealers or to begin exfiltrating sensitive user data.
Previous More_eggs Campaigns
The detection-avoidance techniques of more_eggs such as the exploitation of native Windows processes coupled with versatile functionality have helped Golden Chickens attract several ATP hacker groups as clients. Infosec researchers have seen the backdoor threat being employed by FIN6, Evilnum, and the Cobalt Group. Although, all three can be described as targeting companies in the financial sector their operations are quite different. FIN6 has specialized in the theft of payment card data that is later sold on underground trade platforms. Their main targets are POS (point-of-sale) devices and eCommerce companies. Evilnum, on the other hand, goes after financial technology companies and stock trading platform providers. They target sensitive private information about the infiltrated company and its clients by stealing spreadsheets, customer lists, trading operations, and account credentials. Cobalt Group also targets financial companies and has used more_eggs in several operations so far.