Date: 12/03/2024
Severity: High
Summary
In March 2024, an investigation revealed that a threat actor infected a user endpoint and pivoted to two servers in the environment. Initial access was gained through a job application lure, where the victim downloaded a fake resume ZIP file and executed a malicious .lnk file. This triggered the use of ie4uinit.exe to side-load a malicious .inf file, which dropped and executed a malicious DLL via WMI. The attack culminated in a scheduled task and WMI process launching JScript through msxsl.exe, delivering the final more_eggs payload to establish command-and-control communication. TA4557 since 2018 as a sophisticated, financially motivated threat actor known for distributing the exclusive more_eggs backdoor, capable of profiling endpoints and delivering additional payloads.
Indicators of Compromise (IOC) List
Domains\Urls : | johnshimkus.com annetterawlings.com mitchellspearman.com mikedecook.com davidopkins.com markqualman.com julienolsson.com wlynch.com johncboins.com christianvelour.com lisasierra.com mikedecook.com jacksallay.com pin.howasit.com shehasgone.com |
IP Address : | 144.208.127.15 172.96.139.82 108.174.197.15 |
Hash : |
ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f
b56d2e095dc6c2171e461ca737cbdc0a35de7f4729b31fe41258f9cbd81309a1
408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f
aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d
4b8be22b23cd9098218a6f744baeb45c51b6fad6a559b01fe92dbb53c6e2c128
4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608
a26379ad2eb9de44691da254182ca65fb32596fe1217fe4fbddb173f361a0a9b
408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f
a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258
95634a5c6a8290aaa9d287f28c7d22b3b7ca1cf974339fc89ea4d542fa2ec45a
987ad23508239b58739279048cb850d5
62ea63b720556bda73eaf95be7a282193d19aa4d
fe63fdf34d66f1658e2c9227ac84adffaa2cbb8b689999d4d1ebc733fc5f0fce
14c72c6c628104de0a93df124caa3e4a
03bd5fa3fa4b06190b26762c4ea7b4e6ac615819
bd3df53a397af4fe5e1441b2c91a6149bac9d26c94e46de9dbcbfa9b8647a935
6a0ddc6b06db8f7fef1e8934347d150d
6a8fed99d66e84524fc75c7bfe003dea750dab11
29bc115b5ae8cf19578c1c6a6743c3e53b9247d8eb6c556bc9d056994c58835b
bace25f5a53a4e6cde31fe2ca2bc39a9
ac6521fa3b00f4e70ffb97ee1dfa895097d01dc8
757e297137e8ed21622297ae8885740b5beb09bc07141cf8ce7b24dbd95bdaf0
6886f4cce4041cf27dff8e2ecfbfd38d
b68eaed2a653ca79b8ef0b261eb4047ced6e16f4
6f12dc858631cf90cd4fef57fbb52675b8649d777c7f86384c6535da0a59ad67
4fdbae9775a20dc33dec05e408c2a2ad
3eaa51632f2beae23d9811b9ff91e31c91092177
228cd867898ab0b81d31212b2da03cc3e349c9000dfb33e77410e2937cea8532
cbe1f43ad7a19c97a521a662dd406a3fb345ae919271cefc694a71e55fe163f5 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | userdomainname like "christianvelour.com" or url like "christianvelour.com" or userdomainname like "shehasgone.com" or url like "shehasgone.com" or userdomainname like "pin.howasit.com" or url like "pin.howasit.com" or userdomainname like "davidopkins.com" or url like "davidopkins.com" or userdomainname like "mitchellspearman.com" or url like "mitchellspearman.com" or userdomainname like "johncboins.com" or url like "johncboins.com" or userdomainname like "annetterawlings.com" or url like "annetterawlings.com" or userdomainname like "johnshimkus.com" or url like "johnshimkus.com" or userdomainname like "mikedecook.com" or url like "mikedecook.com" or userdomainname like "markqualman.com" or url like "markqualman.com" or userdomainname like "julienolsson.com" or url like "julienolsson.com" or userdomainname like "wlynch.com" or url like "wlynch.com" or userdomainname like "lisasierra.com" or url like "lisasierra.com" or userdomainname like "jacksallay.com" or url like "jacksallay.com" |
IP Address : | dstipaddress IN ("144.208.127.15","172.96.139.82","108.174.197.15") or ipaddress IN ("144.208.127.15","172.96.139.82","108.174.197.15") or publicipaddress IN ("144.208.127.15","172.96.139.82","108.174.197.15") or srcipaddress IN ("144.208.127.15","172.96.139.82","108.174.197.15") |
Hash 1: |
sha256hash IN ("ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f","b56d2e095dc6c2171e461ca737cbdc0a35de7f4729b31fe41258f9cbd81309a1","408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f","aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d","a26379ad2eb9de44691da254182ca65fb32596fe1217fe4fbddb173f361a0a9b","408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f","fe63fdf34d66f1658e2c9227ac84adffaa2cbb8b689999d4d1ebc733fc5f0fce","bd3df53a397af4fe5e1441b2c91a6149bac9d26c94e46de9dbcbfa9b8647a935","29bc115b5ae8cf19578c1c6a6743c3e53b9247d8eb6c556bc9d056994c58835b","757e297137e8ed21622297ae8885740b5beb09bc07141cf8ce7b24dbd95bdaf0","6f12dc858631cf90cd4fef57fbb52675b8649d777c7f86384c6535da0a59ad67","228cd867898ab0b81d31212b2da03cc3e349c9000dfb33e77410e2937cea8532","cbe1f43ad7a19c97a521a662dd406a3fb345ae919271cefc694a71e55fe163f5") |
Hash 2: |
md5hash IN ("987ad23508239b58739279048cb850d5","14c72c6c628104de0a93df124caa3e4a","6a0ddc6b06db8f7fef1e8934347d150d","bace25f5a53a4e6cde31fe2ca2bc39a9","6886f4cce4041cf27dff8e2ecfbfd38d","4fdbae9775a20dc33dec05e408c2a2ad") |
Hash 3: |
sha1hash IN ("62ea63b720556bda73eaf95be7a282193d19aa4d","ac6521fa3b00f4e70ffb97ee1dfa895097d01dc8","3eaa51632f2beae23d9811b9ff91e31c91092177","b68eaed2a653ca79b8ef0b261eb4047ced6e16f4","6a8fed99d66e84524fc75c7bfe003dea750dab11","03bd5fa3fa4b06190b26762c4ea7b4e6ac615819") |
Reference:
https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/#indicators