More_eggs is malware that is specially designed to steal valuable credentials like usernames and passwords for corporate bank accounts, email accounts, and IT admin accounts.
In April 2021, Threat actors conducted a spearphishing campaign with more_eggs malware that targeted job hunting professionals on LinkedIn. They sent malicious .zip files that are named under the current Job title of the victim.
For example, If the victim is having current Job title as “Account Manager”, the zip file will have the name “Account Manager Position”. Once the victim opens the fake offer, it initiates the installation of the more_eggs malware.
However, threat actors are currently reversing their targets. This time they are targeting organizations by sending the malware as resumes from job applicants.
Recruiters usually download the resume to get to know about the applicants. But the resume has the more_eggs malware embedded in it which gets executed when they download and open the resumes.
eSentire’s security research team, the Threat Response Unit (TRU) have also discovered four other security incidents and has shut them down. Three of the four incidents were discovered at the end of March.
The organizations that were targeted include a U.S.-based aerospace/defense company, a large UK-based CPA firm, an international business law firm based out of Canada, and a Canadian national staffing agency.
This malware has already been used on several attack campaigns by other threat actors like the FIN6 gang, Evilnum, and the Cobalt group. After they infect a system, they travel across the network by using Teamviewer and encrypting files.
The connection between FIN6, Evilnum, Cobalt, and More_Eggs
FIN6 is a cybercrime group that specifically steals payment card details and sells them on the DarkWeb and other underground black markets. In 2014, they gained popularity for their attacks against POS (Point-Of-Sale) machines at retail outlets and hospitality campaigns.
Later they targeted e-Commerce companies and stole credit card data via online skimming.
At the end of 2018, FIN6 attacked payment servers of e-Commerce companies using malicious documents which have more_eggs malware embedded.
Nevertheless, similarities come into place with respect to their methodology. FIN6 targeted employees in an organization through LinkedIn profiles and lured them with fake job offers.
Evilnum is known for compromising FINTECH companies with more_eggs malware. Companies that provided stock trading and tools. This group targeted financial technology companies and their customers.
Specifically, they targeted items such as spreadsheets, documents with customer lists, investment and trading operations, and credentials relating to that.
Cobalt Group is also known for using more_eggs malware as a backdoor to go after financial companies.
More_eggs is a sophisticated malware with many components. Components include
VenomLNK – This is a poisoned LNK file. Windows Operating System uses LNK files for automating program execution. This LNK file executes TerraLoader by tricking the user into opening a document.
- TerraLoader – This load’s other module from VenomLNK
- Terrapreter – Provides meterpreter shell
- TerraStealer – Exfiltrates Sensitive Data
- TerraTV – Hijacks TeamViewer for Lateral Movement
- Terracrypt – Ransomware plugin for PureLocker ransomware (CR1 ransomware)
A complete documentation of this malware is published by eSentire.