1. Home
  2. Software
  3. More_eggs

More_eggs

More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]

ID: S0284
Associated Software: SKID, Terra Loader, SpicyOmelette
Type: MALWARE
Platforms: Windows
Contributors: Drew Church, Splunk
Version: 3.1
Created: 17 October 2018
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
SKID

[3]
Terra Loader

[2][4]
SpicyOmelette

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .001 加密通道: Symmetric Cryptography

More_eggs has used an RC4-based encryption method for its C2 communications.[2]
Enterprise T1140 反混淆/解码文件或信息

More_eggs will decode malware components that are then dropped to the system.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

More_eggs has used cmd.exe for execution.[2][5]
Enterprise T1071 .001 应用层协议: Web Protocols

More_eggs uses HTTPS for C2.[1][2]
Enterprise T1132 .001 数据编码: Standard Encoding

More_eggs has used basE91 encoding, along with encryption, for C2 communication.[2]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.[5]
Enterprise T1070 .004 移除指标: File Deletion

More_eggs can remove itself from a system.[1][2]
Enterprise T1218 .010 系统二进制代理执行: Regsvr32

More_eggs has used regsvr32.exe to execute the malicious DLL.[2]
Enterprise T1082 系统信息发现

More_eggs has the capability to gather the OS version and computer name.[1][2]
Enterprise T1033 系统所有者/用户发现

More_eggs has the capability to gather the username from the victim's machine.[1][2]
Enterprise T1016 系统网络配置发现

More_eggs has the capability to gather the IP address from the victim's machine.[1]
.001 Internet Connection Discovery

More_eggs has used HTTP GET requests to check internet connectivity.[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

More_eggs can obtain information on installed anti-malware programs.[1]
Enterprise T1105 输入工具传输

More_eggs can download and launch additional payloads.[1][2]
Enterprise T1553 .002 颠覆信任控制: Code Signing

More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.[2]

Groups That Use This Software

ID Name References
G0120 Evilnum

[5]
G0037 FIN6

[2][4]
G0080 Cobalt Group

[1][3]

References

  1. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  2. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  3. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  1. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  2. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.