MDR in Action: Preventing The More_eggs Backdoor From Hatching

    Tuesday, October 1, 2024 In: Threat Research Print

    Date: 10/01/2024

    Severity: Medium

    Summary

    A customer’s talent search resulted in their recruitment officer downloading a fraudulent resume and unintentionally running a malicious .LNK file, leading to a More_eggs infection. More_eggs is a JScript backdoor associated with the Golden Chickens malware-as-a-service (MaaS) toolkit. It is commonly exploited by financially motivated threat actors, including FIN6 and the Cobalt Group, to target financial and retail institutions. The backdoor connects to a fixed command-and-control (C&C) server to download and execute additional payloads, such as infostealers and ransomware.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://1212055764.johncboins.com/some/036e91fc8cc899cc20f7e011fa6a0861/sbosf

    http://36hbhv.johncboins.com/fjkabrhhg

    https://webmail.raysilkman.com

    Hash

    ccf8276b55398030b6b7269136c5ee26a5c422d68793dc9ec5adee79a057c7f4

f2196309bc97e22447f6e168a9afbbb4291edd1cca51bf3789939c3618a63ec0

3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271

    Mail

    fayereed11@gmail.com

    CommandLine

    HKCU\Environment /t 1 /v userinitmprlogonscript /d cscripT -e:jsCript "%APPDATA%\ Microsoft\D30F38D93CA9185.txt"

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://1212055764.johncboins.com/some/036e91fc8cc899cc20f7e011fa6a0861/sbosf" or url like "https://1212055764.johncboins.com/some/036e91fc8cc899cc20f7e011fa6a0861/sbosf" or userdomainname like "http://36hbhv.johncboins.com/fjkabrhhg" or url like "http://36hbhv.johncboins.com/fjkabrhhg" or userdomainname like "https://webmail.raysilkman.com" or url like "https://webmail.raysilkman.com"

    Detection Query 2

    sha256hash IN ("ccf8276b55398030b6b7269136c5ee26a5c422d68793dc9ec5adee79a057c7f4","f2196309bc97e22447f6e168a9afbbb4291edd1cca51bf3789939c3618a63ec0","3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271")

    Detection Query 3

    From like "fayereed11@gmail.com" or to like "fayereed11@gmail.com" or sender like "fayereed11@gmail.com" or receiver like "fayereed11@gmail.com"

    Detection Query 4

    (resourcename in ("Windows Security") AND eventtype = "4688") AND winmessage IN ("HKCU\Environment /t 1 /v userinitmprlogonscript /d cscripT -e:jsCript %APPDATA%\ Microsoft\D30F38D93CA9185.txt")

    Detection Query 5

    technologygroup = "EDR" AND winmessage IN ("HKCU\Environment /t 1 /v userinitmprlogonscript /d cscripT -e:jsCript %APPDATA%\ Microsoft\D30F38D93CA9185.txt")

    Reference: 

    https://www.trendmicro.com/en_us/research/24/i/mdr-in-action--preventing-the-moreeggs-backdoor-from-hatching--.html


    Tags

    MalwarePhishingBackdoorFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.