More_eggs is Back
More_eggs is back and Targeting Corporate Recruiters
More_eggs was initially incubated in October of 2018 as malware used to create a backdoor in Windows-based operating systems. Notorious threat actors such as the Cobalt Group, Evilnum, and FIN6 used the malware to target financial, pharmaceutical, retail, and entertainment companies. Various social engineering methods, such as spear-phishing attacks or impersonating online recruiters, were used to lure unsuspecting victims into downloading the more_eggs malware. Recently, eSentires Threat Response Unit has discovered that a group known as Golden Chickens (a.k.a Venom Spider) has repurposed more_eggs and is targeting online recruiters via Linked In.
A Breakdown of Functionality
Posing as jobseekers, hackers will solicit recruiters and send a malicious .lnk file disguised as a resume. While .lnk files are not inherently harmful, they act as shortcuts that redirect the user or system to a separate file, object, application, or webpage. The target of the .lnk file can be easily set within the properties of the file. In the case of more_eggs, the .lnk file sets a target for “C:\Windows\system32\conhost.exe 0xffffffff -ForceV1”. The C:\ file path calls a binary string that executes the conhost process.
In a typical operation, conhost opens a separate command line window visible to the user. The new window can alert the user of suspicious activity. Therefore, the malware must find a way to hide the child process it created. It does this through the 0xffffffff command. This portion of the string instructs the system not to make a physical console or window, thus hiding the session ID and child process. This command is written in hexadecimal format and translates as the -1 integer. Antivirus software is designed to locate -1 signatures and flag them for inspection. In other words, hackers have found a way to circumvent antivirus software by simply writing commands in hexadecimal format.
Lastly, the ForceV1 command forces the operating system to receive commands in the Windows PowerShell 1.0 scripting language. This language version does not have updated security features and can execute code that is normally not permitted.
This methodology of exploits is known as LOLbins or living off the land binaries. It refers to file-less malware that abuses preinstalled tools in the system. Once the malware has binaries up and running in the system, they are hidden in plain sight and difficult to identify as malware since they are used for normal Windows utility. Escalation and administrator privileges are established through these processes and are used as the backdoor to the system.
Additional LOLbins Used by More_eggs
- cmd.exe
- Used for general command-line prompts
- wmic.exe
- Accesses the Windows Management Instrumentation Command-Line Utility, which serves as an infrastructure for Windows-based operating systems
- conhost.exe
- Essential for command prompt to be operational.
- Interfaces CMD.exe and File Explorer, thus giving users the ability to drag files and folders into the command line
- msxsl.exe
- Used for XSL translations in excel that are executed via command line
- ie4uinit.exe
- For various Internet Explorer installs or repairs
- rundll32.exe
- Loads 32-bit Dynamic Link Libraries that are shared by multiple programs at once
Don’t Get Scrambled
Teams must be vigilant when receiving files from unknown or untrusted sources. You need to be meticulous when inspecting file type names and logos of attachments. Proper education and training serve as the mainline of defense against social engineering. 93% of successful data breaches result from a social engineering attack. When in doubt, open the file in a sandbox or reach out to a BreachQuest expert! If you have concerns with controls within your environment, we are here to help. In case of an emergency, contact IR@breachquest.com