The More_Eggs malware is a sophisticated JavaScript backdoor posing a significant corporate threat. It is operated by the financially motivated Venom Spider group also known as Golden Chickens. This dangerous backdoor is notably distributed through a Malware-as-a-Service or Malware-as-a-Service (MaaS) model. Various other malicious threat actors can easily purchase and then utilize this service. These customers include notorious cybercriminal groups such as FIN6 and also the Cobalt Group. More_Eggs primarily targets corporate human resources departments by exploiting their inherent trust. It turns what appears as legitimate candidate correspondence into very dangerous attack vectors. This makes routine job application emails a primary source of potential system compromise.
These insidious attacks begin with seemingly innocent looking job application email messages.
These emails typically contain malicious ZIP file attachments for the unsuspecting HR employee. The compressed archive usually includes a harmless decoy image file to appear legitimate. Alongside this decoy a malicious Windows shortcut LNK file is also cleverly hidden. When this shortcut is triggered it initiates a complex chain of damaging events. This chain ultimately deploys the More_Eggs backdoor giving attackers full remote system access. Denwp Research analysts recently identified a More_Eggs sample named “Sebastian Hall.zip”. This particular sample clearly exemplifies the Venom Spider threat group’s current attack techniques.
This clever social engineering approach effectively circumvents typical human vigilance and security awareness.
The serious impact of More_Eggs malware extends far beyond the initial system compromise. This backdoor provides attackers with a wide range of powerful remote control capabilities. They can easily harvest detailed system information from any of the infected machines. Attackers can also deploy additional malicious payloads onto the compromised system when needed. More_Eggs is expertly designed to establish long-term persistence on any targeted systems. This creates a very significant and ongoing security risk for all affected organizations. HR departments processing numerous job applications daily are especially vulnerable to this threat. The malware’s advanced polymorphic nature ensures each victim receives a quite unique payload. This sophisticated feature greatly complicates detection efforts by many traditional antivirus security tools.
The complex infection chain begins when a victim opens the malicious LNK attachment file. This action triggers the immediate execution of a complex obfuscated command line sequence. The deceptive script then launches Microsoft Word as a decoy to distract the user. It simultaneously conducts its malicious activities quietly in the system’s background processes. Through variable manipulation it builds a command to create a configuration file ieuinit.inf. This INF file mimics a legitimate Windows file but contains encoded C2 URLs. Crucially the script copies a legitimate Windows binary ieuinit.exe to the temporary directory. It then executes this trusted system binary using special hidden malicious command parameters. This is a common living-off-the-land technique abusing legitimate system tools for malicious purposes. The JavaScript payload uses anti-analysis techniques and server-side polymorphism to evade detection.
Reference:
