Skip to main content

More_Eggs Backdoor

More_Eggs is a backdoor in use by several threat groups. It is mainly delivered through spear phishing emails and makes heavy use of legitimate processes to evade detection.

Threat ID:
CC-3812
Category:
Backdoor
Threat Severity:
Medium
Threat Vector:
Spear phishing
Published:
6 April 2021 7:28 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

More_Eggs is a backdoor in use by several threat groups. It is mainly delivered through spear phishing emails and makes heavy use of legitimate processes to evade detection.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

More_Eggs is a backdoor that targets LinkedIn users with spear phishing emails and evades detection by using standard Windows processes.

Delivery

More_Eggs is delivered through fake job offer emails with ZIP attachments. The attachment filenames are personalised based on the job title in the user’s LinkedIn profile. More_Eggs may also be delivered through more generic spam campaigns.

Activities

When the malicious attachment is executed, legitimate Windows processes are hijacked while a fake document is displayed to the user. MSXSL, a Microsoft utility used to perform Extensible Stylesheet Language (XSL) transformations, is installed to the user’s profile directory. An ActiveX control containing the final payload is then downloaded and contacts a command and control (C2) server through the MSXSL process.

More_Eggs is sold through a Malware-as-a-Service arrangement and several threat groups have used it to steal data or install additional malware.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domain names

  • d27qdop2sa027t.cloudfront[.]net
  • ec2-13-58-146-177.us-east-2.compute.amazonaws[.]com
Host indicators

File hash (MD5):

  • 776c355a89d32157857113a49e516e74

Command lines:

  • cmd /v /c ipconfig /all > "C:\Users\<REDACTED>\AppData\Local\Temp\64813.txt" 2>&1
  • regsvr32 /s /u "C:\Users\<REDACTED>\AppData\Roaming\Microsoft\<REDACTED>.ocx”
  • sh = new ActiveXObject("Shell.Application")
  • sh.ShellExecute("msxsl.exe", "<REDACTED>.txt <REDACTED>.txt", "C:\Users\<REDACTED>\AppData\Roaming\Microsoft\", "", 0)
  • evlinum js: C:\Users\<REDACTED>\AppData\Roaming\Microsoft\57930.ocx

Last edited: 6 April 2021 7:43 pm