SpicyOmelette

SpicyOmelette is a malicious software (malware) that has been actively used by threat group ITG08 to attack multinational organizations. The group targets specific employees with spear phishing emails containing fake job advertisements and deploys the More_eggs JScript backdoor malware, also known as Terra Loader or SpicyOmelette. GOLD KINGSWOOD, an associated entity, delivers SpicyOmelette through a phishing email which contains a shortened link appearing to be a PDF document attachment. When clicked, this link redirects the system via Google AppEngine to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installs a signed JavaScript file, which is SpicyOmelette. The access provided by SpicyOmelette allows threat actors to escalate privileges on a compromised system by stealing account credentials, surveying the environment, identifying desirable systems such as payment gateways and ATM systems, and deploying malware specifically designed to target those systems. Furthermore, SpicyOmelette can pass parameters to a valid Microsoft utility, enabling the execution of arbitrary JavaScript code on a compromised system and bypassing many application-whitelisting defenses. This makes it a potent tool for GOLD KINGSWOOD, providing an ideal foothold onto targeted systems. A Counter Threat Unit (CTU) analysis of one of GOLD KINGSWOOD's campaigns using SpicyOmelette (DOC2018.js) revealed additional sophisticated methods to compromise targets. These revelations underscore the advanced tactics, techniques, and procedures (TTPs) employed by these threat actors and highlight the urgent need for robust cybersecurity measures to protect against such threats.