SpicyOmelette

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
SpicyOmelette is a malicious software (malware) that has been actively used by threat group ITG08 to attack multinational organizations. The group targets specific employees with spear phishing emails containing fake job advertisements and deploys the More_eggs JScript backdoor malware, also known as Terra Loader or SpicyOmelette. GOLD KINGSWOOD, an associated entity, delivers SpicyOmelette through a phishing email which contains a shortened link appearing to be a PDF document attachment. When clicked, this link redirects the system via Google AppEngine to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installs a signed JavaScript file, which is SpicyOmelette. The access provided by SpicyOmelette allows threat actors to escalate privileges on a compromised system by stealing account credentials, surveying the environment, identifying desirable systems such as payment gateways and ATM systems, and deploying malware specifically designed to target those systems. Furthermore, SpicyOmelette can pass parameters to a valid Microsoft utility, enabling the execution of arbitrary JavaScript code on a compromised system and bypassing many application-whitelisting defenses. This makes it a potent tool for GOLD KINGSWOOD, providing an ideal foothold onto targeted systems. A Counter Threat Unit (CTU) analysis of one of GOLD KINGSWOOD's campaigns using SpicyOmelette (DOC2018.js) revealed additional sophisticated methods to compromise targets. These revelations underscore the advanced tactics, techniques, and procedures (TTPs) employed by these threat actors and highlight the urgent need for robust cybersecurity measures to protect against such threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
More_eggs
1
More_eggs, also known as Golden Chickens, is a malware suite utilized by financially motivated cybercrime actors such as Cobalt Group and FIN6. This malware-as-a-service (MaaS) offering has been identified as the "cyber weapon of choice" by Russia-based cyber gangs. It was first seen in email campai
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Exploit
Loader
Malware
Phishing
exploitation
Aws
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GOLD KINGSWOODUnspecified
1
Gold Kingswood is an advanced persistent cybercrime group that has been successfully targeting financial organizations since at least 2016. The group is highly sophisticated, financially motivated, and uses a tool called SpicyOmelette during initial exploitation of an organization. Once installed, S
ITG08Unspecified
1
ITG08 is a notable threat actor in the cybersecurity landscape, known for its malicious activities and strategic partnerships with other threat actors. This group has been linked to a series of attacks through Tactics, Techniques, and Procedures (TTPs) consistent with their known modus operandi. Whi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the SpicyOmelette Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
More_eggs, Anyone? Threat Actor ITG08 Strikes Again
MITRE
a year ago
Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish