More_eggs | |
Type of Malware | Backdoor |
Country of Origin | Russia |
Date of initial activity | 2017 |
Targeted Countries | Georgia |
Addittional Names | SpicyOmlette |
Associated Groups | Cobalt Group |
Motivation | Financial Gain |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Type of information Stolen | Financial Information |
Overview
More_eggs is a sophisticated and evolving suite of malware that has emerged as a notable threat in the cybersecurity landscape. First identified around 2017, More_eggs is characterized by its modular design and advanced evasion techniques, making it a versatile and persistent threat. It primarily targets financial institutions and cryptocurrency entities, leveraging a range of methods to infiltrate, exfiltrate, and exploit systems. The malware is notorious for its use of obfuscated code and complex infection chains, which enable it to bypass traditional security measures and evade detection.
The More_eggs suite is known for its multiple components, each with a distinct role in the attack chain. Initial infections often start with phishing emails containing malicious attachments or links. Once executed, More_eggs utilizes various tactics, including fileless techniques and living-off-the-land binaries (LOLbins), to establish a foothold on the victim’s system. These methods are designed to avoid detection by blending in with legitimate system processes and making it difficult for traditional security solutions to identify malicious activity.
Targets
Financial Institutions: More_eggs is known for targeting banks and financial service providers. Its sophisticated mechanisms are aimed at compromising financial systems, potentially leading to theft of sensitive financial data, unauthorized transactions, or disruption of services.
Cryptocurrency Exchanges and Wallet Providers: Cryptocurrency entities are a significant focus for More_eggs due to the high value and liquidity of digital assets. The malware seeks to exploit vulnerabilities in cryptocurrency exchanges and wallet providers to gain access to user accounts, steal funds, or manipulate transactions.
Corporate Entities with Financial Operations: Companies involved in financial transactions or handling significant amounts of financial data can also be targeted. More_eggs aims to exploit these organizations for financial gain, potentially through data theft or extortion.
How they operate
At the outset, More_eggs typically gains initial access through phishing tactics, leveraging deceptive emails or malicious attachments to lure unsuspecting users. This initial infection vector is crucial for setting the stage for the malware’s further activities. Once inside the target system, More_eggs employs command and scripting interpreters (T1059) to execute its payload. This execution phase is facilitated by scripting languages or command-line tools that allow the malware to carry out its operations with precision and stealth.
Persistence is a key element of More_eggs’ strategy. The malware ensures that it remains active on the infected system by modifying registry run keys or startup folders (T1547.001). This technique guarantees that More_eggs is executed every time the system boots, making its removal challenging. Additionally, the malware might exploit known vulnerabilities (T1203) to escalate its privileges, granting it greater control over the compromised system.
To avoid detection, More_eggs employs a range of defense evasion techniques. Obfuscation (T1027) is used to conceal the malware’s presence, making it harder for security solutions to identify and analyze its activities. In more advanced scenarios, the malware might utilize rootkits (T1014) to hide its presence and operations from both users and security software, further complicating efforts to detect and eradicate it.
Credential access is another critical component of More_eggs’ functionality. By performing credential dumping (T1003), the malware extracts stored credentials, which can then be used to gain additional access or move laterally within the network. This lateral movement is often achieved through tools such as Remote Desktop Protocol (RDP) (T1076), allowing the malware to expand its reach across connected systems.
In terms of data handling, More_eggs collects sensitive information, often targeting financial data or personal credentials. It may use techniques such as data staging (T1074) to organize and prepare collected data for exfiltration. This staged data is then transmitted to external servers controlled by the attackers, completing the exfiltration process.
Finally, More_eggs may impose impact on the target system by encrypting data (T1486), effectively locking it and demanding a ransom for decryption. This tactic not only disrupts the victim’s operations but also adds a layer of financial pressure to resolve the situation.
MITRE Tactics and Techniques
Initial Access:
Phishing (T1566): More_eggs often uses phishing emails or malicious attachments to gain initial access to the target’s network.
Execution:
Command and Scripting Interpreter (T1059): The malware may use scripting languages or command-line interfaces to execute its payload and establish control.
Persistence:
Registry Run Keys / Startup Folder (T1547.001): More_eggs modifies registry keys or startup folders to ensure execution on system boot.
Privilege Escalation:
Exploitation of Vulnerabilities (T1203): The malware may exploit known vulnerabilities in the system or software to escalate privileges.
Defense Evasion:
Obfuscated Files or Information (T1027): More_eggs uses obfuscation techniques to hide its presence and avoid detection.
Rootkits (T1014): The malware may use rootkits to conceal its activities and maintain a hidden presence.
Credential Access:
Credential Dumping (T1003): More_eggs extracts stored credentials from the system to gain further access.
Discovery:
Network Service Scanning (T1046): The malware scans for network services and open ports to identify other devices or systems.
Lateral Movement:
Remote Desktop Protocol (RDP) (T1076): More_eggs uses RDP or other remote access tools to move laterally within the network.
Collection:
Data from Information Repositories (T1213): The malware collects sensitive information, including financial data or credentials.
Exfiltration:
Data Staged (T1074): The collected data is staged and then exfiltrated to external servers controlled by the attackers.
Impact:
Data Encryption (T1486): In some cases, More_eggs encrypts data to lock it and demand ransom.
