More_eggs

More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]

ID: S0284
Associated Software: SKID, Terra Loader, SpicyOmelette
Type: MALWARE
Platforms: Windows
Contributors: Drew Church, Splunk
Version: 3.0
Created: 17 October 2018
Last Modified: 23 April 2021

Associated Software Descriptions

Name Description
SKID

[3]

Terra Loader

[2][4]

SpicyOmelette

[2]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

More_eggs uses HTTPS for C2.[1][2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

More_eggs has used cmd.exe for execution.[2][5]

Enterprise T1132 .001 Data Encoding: Standard Encoding

More_eggs has used basE91 encoding, along with encryption, for C2 communication.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

More_eggs will decode malware components that are then dropped to the system.[2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

More_eggs has used an RC4-based encryption method for its C2 communications.[2]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

More_eggs can remove itself from a system.[1][2]

Enterprise T1105 Ingress Tool Transfer

More_eggs can download and launch additional payloads.[1][2]

Enterprise T1027 Obfuscated Files or Information

More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.[5]

Enterprise T1218 .010 Signed Binary Proxy Execution: Regsvr32

More_eggs has used regsvr32.exe to execute the malicious DLL.[2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

More_eggs can obtain information on installed anti-malware programs.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.[2]

Enterprise T1082 System Information Discovery

More_eggs has the capability to gather the OS version and computer name.[1][2]

Enterprise T1016 System Network Configuration Discovery

More_eggs has the capability to gather the IP address from the victim's machine.[1]

.001 Internet Connection Discovery

More_eggs has used HTTP GET requests to check internet connectivity.[2]

Enterprise T1033 System Owner/User Discovery

More_eggs has the capability to gather the username from the victim's machine.[1][2]

Groups That Use This Software

ID Name References
G0080 Cobalt Group

[1][3]

G0037 FIN6

[2][4]

G0120 Evilnum

[5]

References