More_eggs virus

More_eggs virus is a backdoor Trojan that is utilized by Cobalt Group and other criminal gangs to attack corporations and regular users

More_eggs virus is a backdoor Trojan that was used by infamous cybercriminal groups like Cobalt Group and FIN6

More_eggs virus is a backdoor written in JavaScript programming language. Also known as Terra Loader and SpicyOmelette, the malware allows malicious actors to perform various tasks on the host machine, including executing shell commands, downloading or deleting files/payloads, executing code, transferring information, etc. In other words, thanks to More_eggs malware, the attackers can control the machine over an HTTPS-based C2 protocol and, although the functionality of the commands is limited, it is enough to initiate the download of more sophisticated payload.

More_eggs backdoor is used to target all versions of Windows machines, and several variants of it have been released, including version 2.0 and 4.4. The malware has been prevalent for at least a couple of years (first described by Trend Micro specialists in August 2017),^[1], and has been actively distributed with the help of malicious spam email attachments or hyperlinks that reach out financial organizations or regular PC users. More_eggs malware has been one of the main assets of financially-motivated Cobalt Group^[2] and FIN6 cybercriminal gangs, which are also believed to be involved in a highly-evasive PureLocker ransomware and open-source software Cobalt Strike delivery campaign.

More_eggs backdoor is sold on the Dark Web as Malware-as-a-Service, i.e., anyone can buy and use the payload as long as the developers receive a predetermined percentage of the profits obtained from malware attacks. Thus, there is a high chance that there are multiple other malicious actors that distribute the More_eggs virus.

More_eggs virus might be a high threat to any computer user, as a backdoor is designed to remain on the system undetected for as long as possible. During its operation, it can send the attackers the required information, such as the installed anti-malware program, IP address, computer name, OS versions, and other data. Due to this, More_eggs removal might be fairly hard, although most up-to-date security programs should be able to take care of its elimination in the Safe Mode environment.

Delivery process of More_eggs backdoor trojan

In 2018, More_eggs was closely analyzed by Talos Intelligence experts, that described the malspam campaigns as “highly sophisticated and evasive”:^[3]

Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document. However, more complex campaigns require meticulous planning on the part of the attacker and include more sophisticated techniques to hide the presence of the malicious code, evade operating system protection mechanisms and eventually deliver the final payload, likely to be present only in the memory of the infected computer and not as a file on the disk.

Several different More_eggs malware delivery campaigns were observed in the past, although most of the time, a fake (but legitimately-created) Linkedin account is made by the attackers. Using this account, the attacker delivers an email to a particular user of the targeted organization – it contains a subject line “Hi [Name], please add me to your professional network.”^[4]

More_eggs actors pretend to offer users a new job in a similar position with allegedly much better prospects.^[5] In some cases, the emails are embedded with a Google Drive link, which, once clicked, displays a message “Online preview is not available” and prompts users to click on another link, that is actually malicious. The URL, once clicked, automatically downloads a WSF file inside a ZIP archive. Once executed, it would initiate the More_eggs virus infection process.

More_eggs is a multi-stage fileless malware that attacks various organisations and uses sophisticated techniques to move laterally and gain elevated privileges on the infected machine/network

Other times, attackers opted to direct potential victims to sites that use stolen branding, which makes the campaign much more believable. Users were prompted to download the alleged job description inside an MS Word file, which, once opened, would not display anything until the “Enable Content” button is pressed – Macros enabled.

The mentioned documents are often used to abuse software vulnerabilities, including:

• CVE-2017-0199;
• CVE-2017-8570;
• CVE-2017-8759;
• CVE-2017-11882;
• CVE-2018-0802;
• CVE-2018-8174.

More_eggs malware performs multiple actions after infiltration

Upon infiltration, the More_eggs virus establishes a connection between a compromised machine and the attacker’s Command and Control server. After that, it uses WMI and PowerShell commands to move laterally and escalate privileges on the impacted system. This method is often known as “living off the land”^[6] by security experts and is often associated with fileless attacks – malware resides in the system’s memory instead of the hard drive, complicating AV detection. Nevertheless, most of the up-to-date security applications should be capable of detecting post-infection activities and remove More_eggs without much trouble.

More_eggs Trojan also allows the attackers to download secondary payload, such as Mimikatz post-exploitation tool. It will enable them to extract sensitive information from the host machine and access various systems with the help of harvested credentials, resulting in privilege escalation and further movement within the IT infrastructure.

Process injection is not the only sophisticated ability of More_eggs virus, however. Several malware components, along with communications between the host machine and the malicious server, are encrypted by such encryption algorithms like RC4. Additionally, the backdoor modifies Windows registry files, sends out HTTP GET requests, writes information on text files (that are later deleted), and much more. These actions are performed with the help of the following commands:

• d&exec – Download and execute an executable (.exe or .dll).
• more_eggs – Delete the current More_eggs and replace it.
• Gtfo – Uninstall activity.
• more_onion – Execute a script.
• via_c – Run a command using “cmd.exe/C”.

More_eggs is delivered via targeted email campaigns that pose as job offers, often mimicking official branding

Ways to prevent being deceived by sophisticated malspam campaigns

Phishing emails or websites have been around for many years now and were often poorly executed. In most of the cases, users can find suspicious indicators due to poor grammar, spelling mistakes, bad formatting, and other symptoms. However, cybercriminal gangs are sophisticated individuals, and they take time and effort to craft phishing emails that are identical to original ones. Besides, they also leverage multi-stage infection mechanisms that are not as obvious for many computer users.

Therefore, it is vital to recognize phishing emails before they manage to inflict major damage to computer systems and connected networks. Regardless of how well worded the email is, you can always check the sender’s address – it is often a good indicator that it is illegitimate (nevertheless, beware of emails spoofing). Additionally, you should NEVER enable content by turning on the Macro function unless you have been expecting a document with such a feature.

Additionally, because some of the malware campaigns have been actively using software vulnerabilities to proliferate the malicious payload, it is vital to patch all the operating systems on time (along with all the installed software, e.g., Drupal). Finally, make sure your computer is equipped with a sophisticated anti-malware solution.

Delete More_eggs backgood with all its components from your system

Due to highly evasive infection mechanisms (fileless infection), detecting and preventing More_eggs virus becomes an almost impossible task for most modern security solutions. Nevertheless, by employing powerful anti-malware software, you should be able to remove More_eggs virus with all its components. The best way to do that is by accessing Safe Mode with Networking, as explained below – it would temporarily disable the main functions of the malware.

While More_eggs removal might not be necessary in every case (the malware can delete itself under particular circumstances), the termination of other components introduced by the Trojan is mandatory. In other words, just because the main payload is deleted after the infection, it does not mean that there is nothing else to eliminate.

Once More_eggs backdoor removal is complete, you should also employ PC repair software Reimage Reimage Cleaner as it should be able to fix the damage done to the system and restore it to the pre-infection condition without having to reinstall the OS.