By Keegan Keplinger, Research and Reporting Lead, Threat Response Unit, eSentire
In March eSentire’s security research team, the Threat Response Unit (TRU), discovered that the stealthy more_eggs malware had re-emerged after being silent for nearly a year. More__eggs was being used in a phishing campaign where hackers were posing as job applicants and luring corporate hiring managers into downloading what they believed were resumes from potential candidates. However, the bogus documents contained the more_eggs malware.
More_eggs is malicious software that contains several components, including one that is engineered to steal valuable credentials, including usernames and passwords for corporate bank accounts, email accounts and IT administrator accounts. If a threat actor can obtain IT administration credentials for a company, they can easily exfiltrate data from the victim, spread their malware to other computer hosts within the organization’s network, via Microsoft TeamViewer, and encrypt a company’s files.
The Golden Chickens group (aka Venom Spider) is believed to be the threat operators behind more_eggs. Thus far this year, TRU has discovered and shut down four separate security incidents relating to more_eggs. The organizations attacked include a U.S.-based aerospace/defense company; a large UK-based CPA firm; an international business law firm based out of Canada; and a national Canadian staffing agency.
The 2022 More_Eggs Operation – a Déjà Vu of the 2021 LinkedIn More_Eggs Campaign?
Ironically, an eerily similar more_eggs campaign was uncovered by eSentire’s TRU in March 2021. However, during that campaign, rather than posing as hopeful job candidates sending poisoned resumes, the threat actors targeted professionals on LinkedIn seeking employment. They sent the job seekers .zip files disguised as job offers. When the targets opened the zip file, it led to the installation of more_eggs. The hackers tried enticing the targets into clicking on the zip file by naming it after the job seeker’s current job title and adding “position” at the end.
For example, if the LinkedIn member’s job was listed as ‘Senior Account Executive—International Freight,’ the malicious zip file would be titled ‘Senior Account Executive — International Freight position.’
TRU Disrupts More_Eggs Attacks Hitting an Aerospace/Defense Company, International Law Firm, International CPA Firm and National Staffing Agency
When TRU discovered and shut down the four more_eggs incidents this year, each incident involved a new variant of more_eggs.
TRU believes that the threat actors behind the 2022 more_ eggs campaign are not randomly targeting companies. For example, the CPA firm and the staffing agency, both list a job posting on Indeed.com and LinkedIn which match the title of the resume each hiring manager received. The aerospace/defense company also had a job listed on ZipRecruiter.com which matches the title of the fake resume received.
The Innerworkings of More_Eggs
More_eggs is a sophisticated suite of malware components. One of those components is VenomLink (a component used to trick the victim into installing TerraLoader). TerraLoader is an intermediate component used to install numerous modules designed to take malicious actions such as credential theft, lateral movement, and file encryption throughout a victim’s IT network. Here is a full breakdown:
- VenomLNK is a poisoned LNK file. Windows uses LNK files to automate program execution. More_eggs uses a maliciously written LNK file to execute TerraLoader by tricking the user into opening what they think is a document.
- TerraLoader loads the other modules from VenomLNK
- TerraPreter provides a Meterpreter (a Metasploit attack payload) shell in memory
- TerraStealer is an info stealing module used to exfiltrate sensitive data
- TerraTV allows threat actors to hijack TeamViewer for lateral movement
- TerraCrypt is a ransomware plugin for PureLocker ransomware, aka CR1 Ransomware, a lesser-known ransomware.
The social engineering method for the 2022 more_eggs campaign consisted of disguising a zipped copy of the VenomLNK malware as a job applicant’s resume. A benign PDF resume was included as well, which served as a decoy resume, while more_eggs installed TerraLoader.
As with previous more_eggs variants observed by TRU, the malware abuses legitimate Windows processes to evade detection, alongside a decoy document to trick users. With the incident involving the accounting firm, an employee of the firm received what they thought was a candidate’s resume. However, the resume was the VenomLNK malware. Once VenomLNK was executed, it proceeded to execute TerraLoader so that TerraLoader could load various information-stealing modules and intrusion modules belonging to the more_eggs suite. With the 2022 campaign however, there were two notable differences:
- In place of the previously abused Windows process,exe – which manages network connections – more_eggs was abusing ie4uinit.exe, another Windows Process, to load its malicious plugins.
- Rather than targeting hopeful candidates looking for work, the hackers targeted businesses looking for employees.
Protecting Against More_Eggs
“Thus far we are seeing threat campaigns, involving more_eggs, just a few times a year, unlike some other cyberthreats,” said Rob McLeod, Vice President of eSentire’s Threat Response Unit. “This, in addition to the campaigns’ spearphishing component, indicates to me that the threat actors using more_eggs, are extremely selective and patient. It is important that companies and public entities, especially those in critical infrastructure sectors, consider adopting the following security recommendations.”
Cybersecurity Protection Tips
- Security Awareness Training for All Employees. Security Awareness training should be mandated for all company employees. The training should ensure that employees:
- Avoid downloading and executing files from unverified sources. For example, be wary of Word and Excel documents sent from an unknown source or acquired from the Internet that prompts you to ‘Enable Macros’.
- Avoid free versions of paid software.
- Always inspect the full URL before downloading files to ensure it matches the source (e.g., Microsoft Team should come from a Microsoft domain).
- Inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.
- Ensure standard procedures are in place for employees to submit potentially malicious content for review
- Anti-virus isn’t enough. Malware that abuses Living Off the Land Binaries (LOLBins) bypass binary detection approaches. Therefore, Endpoint Detection and Response (EDR) agents need to be installed on all hosts. An EDR solution is a necessary technology for detecting threats such as more_eggs, and EDR agents must be continuously monitored and updated with the evolving threat landscape. If not, critical alerts will not be triaged and investigated. Managed Detection and Response (MDR) providers offer this service. Robust and comprehensive MDR services require an AI-powered Extended Detection and Response (XDR) technology platform so that the hundreds of daily security signals, generated by an organization’s EDR agents, can be promptly ingested, analyzed and responded to. Security events which can be resolved through an automated response are processed, while security events requiring a hands-on response are handled by the MDR’s cybersecurity analysts and threat hunters.
- Monitor the Threat Landscape. Organizations must have access to relevant threat intelligence, and it must be actioned in a timely fashion. Internal security teams need to be specifically informed about their operating environment, working in concert with their external security provider.
Learn more about eSentire’s industry renowned Threat Response Unit.
About the Author
Keegan Keplinger is the Research and Reporting Lead for the Threat Response Unit at eSentire. He conducts threat research and disseminates reports on threat activity with the goal of understanding threat actor behavior and economics. Keegan has an undergraduate degree in physics and graduate degrees in neuroscience and applied mathematics; he originally joined eSentire as the Data Visualization Lead on the Threat Intelligence team in 2017, but quickly evolved into a broader role in detection engineering, conducting threat hunts, and reporting on previously unobserved threat activity.