More_eggs

Malware updated 4 months ago (2024-05-04T20:55:37.520Z)

Download STIX

Preview STIX

More_eggs, also known as Golden Chickens, is a malware suite utilized by financially motivated cybercrime actors such as Cobalt Group and FIN6. This malware-as-a-service (MaaS) offering has been identified as the "cyber weapon of choice" by Russia-based cyber gangs. It was first seen in email campaigns targeting Russian businesses as early as 2017, and later in 2019, its distribution expanded to campaigns aimed at job seekers with fake job offers. The identity of the malware provider, a Romanian man known as VENOM SPIDER, was uncovered by eSentire earlier this year. The malware operates through a social engineering campaign, where the threat actor initially targets recruiters with benign content before infecting their machines with More_Eggs. Once successfully installed, More_Eggs collects information about the victim's machine and serves as a downloader for additional malware payloads. It uses a fileless approach to evade anti-virus detection, making it particularly challenging to mitigate. The malware takes advantage of legitimate software functions to establish a backdoor and gather more information about the victim's system. Threat Response Unit (TRU) of eSentire has discovered dangerous cyber threats and nation-state attacks associated with More_Eggs. Notably, the TRU found that More_Eggs was used in a scam involving fake LinkedIn job offers. After the malware installation process, the DLL drops the More_Eggs backdoor alongside another legitimate utility program and uses WMI to initiate the creation of an MSXSL process before deleting itself. Its sophisticated evasion techniques include using a loop to retrieve the RC4 key needed to decrypt the More_Eggs backdoor and extending its execution time to avoid sandbox environments.

Description last updated: 2024-05-04T16:50:26.255Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Ta4557	2	TA4557 is a malicious software (malware) that has been uniquely identified by cybersecurity firm Proofpoint due to its distinctive use of tools, campaign targeting, evasion measures, and controlled infrastructure. This malware is particularly notable for its sophisticated spear-phishing strategy, wh

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Cybercrime

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the More_eggs Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	6 months ago	"Get Paid to Like Videos"? This YouTube Scam Leads to Empty Wallets \| #youtubescams \| #lovescams \| #datingscams \| #datingscams \| #love \| #relationships \| #scams \| #pof \| #match.com \| #dating \| National Cyber Security Consulting
CERT-EU	9 months ago	Hiring? New scam campaign means ‘resume’ downloads may contain malware
CERT-EU	9 months ago	Fake Resumes, Real Malware: TA4557 Exploits Recruiters for Backdoor Access
CERT-EU	9 months ago	Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware
CERT-EU	9 months ago	Recruiters, beware of cybercrooks posing as job applicants! - Help Net Security
CERT-EU	9 months ago	TA4557 Targets Recruiters Directly via Email – Global Security Mag Online
InfoSecurity-magazine	9 months ago	Threat Actor Targets Recruiters With Malware
CERT-EU	a year ago	Threat Response That Outpaces Cyberattacks
CERT-EU	a year ago	Ensuring Your Cybersecurity Success with SOCs and our TRU
CERT-EU	a year ago	Security Operations Center (SOC) \| Security Operations Centers
CERT-EU	a year ago	OnlyDcRatFans: Malware Distributed Using Explicit Lures of OnlyFans…
MITRE	2 years ago	ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
MITRE	2 years ago	More_eggs, Anyone? Threat Actor ITG08 Strikes Again
CERT-EU	a year ago	В киберпространстве появилась новая угроза для финансовых организаций: кампания OCX#HARVESTER
CERT-EU	a year ago	BatLoader Impersonates Midjourney, ChatGPT in Drive-by Cyberattacks
CERT-EU	a year ago	Researchers Identify Second Developer of ‘Golden Chickens’ Malware
CERT-EU	a year ago	Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware
CERT-EU	a year ago	Researchers identify second developer behind Golden Chickens MaaS