MDR in Action: Preventing The More_eggs Backdoor From Hatching
Oct. 1, 2024, 10:22 a.m.
Description
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when opened. This resulted in the download and execution of the more_eggs backdoor. The malware performed system checks and communicated with a command-and-control server. Trend Micro's MDR team quickly identified and contained the threat using Vision One platform, isolating the infected host and blocking indicators. The incident is part of a broader campaign using the Golden Chickens malware toolkit, with two variations observed targeting various industries, particularly those with financial resources.
Tags
Date
- Created: Oct. 1, 2024, 10:12 a.m.
- Published: Oct. 1, 2024, 10:12 a.m.
- Modified: Oct. 1, 2024, 10:22 a.m.
Indicators
- f2196309bc97e22447f6e168a9afbbb4291edd1cca51bf3789939c3618a63ec0
- ccf8276b55398030b6b7269136c5ee26a5c422d68793dc9ec5adee79a057c7f4
- 3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271
- https://webmail.raysilkman.com
- https://1212055764.johncboins.com/some/036e91fc8cc899cc20f7e011fa6a0861/sbosf
- http://36hbhv.johncboins.com/fjkabrhhg.
- http://36hbhv.johncboins.com/fjkabrhhg
- webmail.raysilkman.com
- 36hbhv.johncboins.com
- 1212055764.johncboins.com
Attack Patterns
- SpicyOmelette
- Terra Loader
- SKID
- More_eggs - S0284
- FIN6
- T1124
- T1059.003
- T1547.001
- T1012
- T1059.007
- T1071.001
- T1082
- T1057
- T1105
- T1204
- T1033
- T1027
- T1566
Additional Informations
- Engineering
- Hospitality
- Finance
- Russian Federation