More_eggs Malware Report: What Is More_eggs and How Does It Work?

More_eggs is a JScript backdoor used by the Cobalt Group and FIN6. It has the ability to gather information on installed anti-malware programs, check for the presence of various antivirus tools, and download and launch additional payloads. It has been distributed via spearphishing emails containing a malicious link. 

More_eggs Malware Capabilities

The More_eggs adversary may attempt to collect information about security software, configurations, and sensors installed on a system or in a cloud environment. This information may be used to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. More_eggs may also use application layer protocols associated with web traffic to avoid detection and communicate with remote systems. Additionally, More_eggs may abuse various implementations of JavaScript for execution and may attempt to collect information about the operating system and hardware. Finally, 

More_eggs may use utilities present on the system to hide artifacts of an intrusion from analysis.More_eggs may attempt to gather information about systems they have access to, including IP and MAC addresses, account names, and installed software. They may use this information to determine whether or not to fully infect a system and/or what specific actions to take. More_eggs may also send spearphishing emails with links to malware in an attempt to gain access to victim systems. Once inside a system, More_eggs may delete files to cover their tracks, check for Internet connectivity, and abuse the Windows command shell for execution. They may also create, acquire, or steal code signing materials to sign their malware or tools.

• The More_eggs malware may attempt to get information on security measures that are in place on a system, including firewall rules and anti-virus software. It may communicate using application layer protocols associated with web traffic, and abuse various implementations of JavaScript for execution.
• The More_eggs malware may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture, in order to shape follow-on behaviors. More_eggs may also search local system sources for files of interest and sensitive data prior to Exfiltration. Finally, More_eggs may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.
• More_eggs may use Regsvr32.exe to proxy execution of malicious code. This binary is signed by Microsoft and may also be used to register and unregister object linking and embedding controls, including dynamic link libraries, on Windows systems. More_eggs may transfer tools or other files from an external system into a compromised environment.
• More_eggs may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net.
• More_eggs may collect details about a system's network configuration and settings, such as IP and MAC addresses, through information discovery of remote systems. They may also attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. More_eggs may use spearphishing emails with a malicious link in an attempt to gain access to victim systems.
• More_eggs may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment in order to shape follow-on behaviors. More_eggs may also delete files left behind by intrusion activity in order to minimize their footprint. Additionally, More_eggs may check for Internet connectivity on compromised systems.
• More_eggs may use social engineering to get users to click on malicious links, which can lead to code execution. More_eggs may also abuse the Windows command shell for execution, and may create, acquire, or steal code signing materials to sign their malware or tools.
• More_eggs may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system.

Ways to Mitigate More_eggs Malware Attacks

• The More eggs malware can be mitigated by using system and network discovery techniques to analyze data and events for unusual activity. Processes that do not normally communicate over the network or that have never been seen before may be suspicious. Additionally, monitor for events associated with scripting execution, such as process activity, file activity involving scripts, or loading of modules associated with scripting languages. These actions may be related to network and system information discovery, collection, or other post-compromise behaviors and could be used as indicators of detection leading back to the source.
• The More_eggs malware mitigation techniques involve system and network discovery, monitoring processes and command-line arguments, and detecting deobfuscation or decoding of files or information. These techniques can help to identify and prevent malicious activity related to the More_eggs malware.
• The More_eggs malware can be mitigated by monitoring the execution and arguments of regsvr32.exe, and comparing recent invocations with known good arguments and loaded files. Additionally, monitoring for file creation and files transferred into the network may help to detect suspicious activity.
• The More_eggs malware mitigation technique involves system and network discovery, which helps to identify potential malicious activity. URL inspection within email can also help to detect links leading to known malicious sites. Detonation chambers can be used to test these links and determine if they are potentially malicious.
• More_eggs malware mitigation: Various system and network discovery techniques may be employed by an adversary during an operation in order to learn about the environment and find potential targets. These techniques can include running native Windows functions and tools, as well as third-party utilities. Data and events should not be viewed in isolation, but as part of a bigger picture that could reveal malicious activity. Monitoring for deletion commands, known deletion tools, and other suspicious activity can help to detect and thwart More_eggs malware.
• The More_eggs malware is a serious threat that can be mitigated by taking some simple precautions. Firstly, users should be aware of phishing attempts and links to malicious sites. Secondly, usage of the Windows command shell should be restricted to administrator, developer, or power user systems. Thirdly, scripts should be captured from the file system in order to determine their actions and intent. Finally, signing certificate metadata should be collected and analyzed on software that executes within the environment.
• The More_eggs malware uses obfuscation to hide its activities, making detection difficult. However, it may be possible to detect the malicious activity that the More_eggs malware causes. With symmetric encryption, the algorithm and key used by the More_eggs malware can be obtained from samples and used to decode network traffic. This may help to detect communications signatures that are associated with the More_eggs malware. Additionally, analyzing network data for uncommon data flows can help to identify processes that may be associated with the More_eggs malware.

About Fin6 Threat Group

Fin6 is a cybercrime group that specializes stealing banking and credit card credentials to sell them in the black markert.