MDR in Action: Preventing The More_eggs Backdoor From Hatching
Oct. 1, 2024, 10:22 a.m.
Tags
External References
Description
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when opened. This resulted in the download and execution of the more_eggs backdoor. The malware performed system checks and communicated with a command-and-control server. Trend Micro's MDR team quickly identified and contained the threat using Vision One platform, isolating the infected host and blocking indicators. The incident is part of a broader campaign using the Golden Chickens malware toolkit, with two variations observed targeting various industries, particularly those with financial resources.
Date
Published: Oct. 1, 2024, 10:12 a.m.
Created: Oct. 1, 2024, 10:12 a.m.
Modified: Oct. 1, 2024, 10:22 a.m.
Indicators
f2196309bc97e22447f6e168a9afbbb4291edd1cca51bf3789939c3618a63ec0
ccf8276b55398030b6b7269136c5ee26a5c422d68793dc9ec5adee79a057c7f4
3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271
https://webmail.raysilkman.com
https://1212055764.johncboins.com/some/036e91fc8cc899cc20f7e011fa6a0861/sbosf
http://36hbhv.johncboins.com/fjkabrhhg.
http://36hbhv.johncboins.com/fjkabrhhg
webmail.raysilkman.com
36hbhv.johncboins.com
1212055764.johncboins.com
Attack Patterns
SpicyOmelette
Terra Loader
SKID
More_eggs - S0284
FIN6
T1124
T1059.003
T1547.001
T1012
T1059.007
T1071.001
T1082
T1057
T1105
T1204
T1033
T1027
T1566
Additional Informations
Engineering
Hospitality
Finance
Russian Federation