Follow on X RSS Feed
Malware

Golden Chickens more_eggs Exploits Social Engineering for Infections

Cybersec Sentinel

3 min read
Golden Chickens more_eggs Exploits Social Engineering for Infections

Threat Group: Golden Chickens (aka Venom Spider)
Threat Type: Malware-as-a-Service (MaaS)
Exploited Vulnerabilities: Social engineering via spear-phishing
Malware Used: More_eggs backdoor, RevC2 backdoor, Venom Loader
Threat Score: High (8.0/10) — Due to sophisticated delivery mechanisms, evasion techniques, and deployment of multi-functional payloads
Last Threat Observation: December 7

Overview

The More_eggs backdoor, part of the Golden Chickens toolkit, represents a formidable and evolving cyber threat. Distributed as a Malware-as-a-Service (MaaS) offering, it is widely used by cybercriminal groups such as FIN6 and Cobalt Group to infiltrate organizations across sectors including finance, recruitment, and engineering. The malware enables attackers to perform credential theft, deploy ransomware, and conduct system reconnaissance.

Recent campaigns have highlighted advanced social engineering tactics, such as spear-phishing emails impersonating job applicants and CAPTCHA-protected websites to distribute malicious .LNK files disguised as resumes. When executed, these files trigger a chain of events leading to the installation of the More_eggs backdoor and related payloads.

A recent incident analyzed by Trend Micro MDR illustrated the threat's sophistication. Using their Vision One platform, the MDR team successfully neutralized an attack, demonstrating the critical role of real-time monitoring and automated defenses.

Key Details

  1. Delivery Method:
    • Spear-phishing emails targeting HR and finance personnel.
    • Emails contain links to fake job application websites or ZIP attachments with .LNK files.
  2. Targets:
    • Recruitment professionals, financial institutions, engineering firms, and hospitality businesses.
  3. Malware Functions:
    • Credential Theft: Steals user and admin credentials for sensitive accounts.
    • Reconnaissance: Collects system data, such as running processes and network configurations.
    • Payload Deployment: Downloads and executes ransomware, infostealers, and other malware.
    • Remote Command Execution: Enables attackers to issue commands for further exploitation.
    • Network Proxying: Routes malicious traffic through compromised systems to obscure origins.
  4. Obfuscation Techniques:
    • Utilizes Living-Off-the-Land Binaries (LOLBins) such as cmd.exe, regsvr32.exe, and ie4uinit.exe.
    • Minimal disk footprint and registry-based persistence mechanisms.
  5. Campaign Variations:
    • Campaigns feature .LNK files named after individuals or documents.
    • Obfuscated commands and varying infection chains make detection difficult.
  6. Attribution:
    • Linked to Golden Chickens (MaaS provider), FIN6, and Cobalt Group.
    • Flexible MaaS model complicates precise attribution.

Attack Vectors

  1. Initial Access:
    • Spear-phishing Emails: Emails impersonating job applicants contain malicious attachments or links.
    • Fake Job Portals: CAPTCHA-protected sites hosting malicious files disguised as resumes.
  2. Execution:
    • .LNK files trigger obfuscated commands, executed via cmd.exe to download additional payloads.
    • Legitimate Windows binaries (regsvr32.exe, ie4uinit.exe) are used for stealthy execution.
  3. Persistence:
    • Creates registry entries (HKCU\Environment\UserInitMprLogonScript) to execute scripts at logon.
    • Drops encrypted payloads and legitimate binaries to disguise malicious intent.
  4. Command-and-Control (C2):
    • Communicates with attacker-controlled servers to download malware and exfiltrate data.
  5. Reconnaissance and Privilege Escalation:
    • Gathers system information, checks privileges, and identifies security tools.
  6. Lateral Movement:
    • Stolen credentials are used to access other systems and deploy additional payloads.
  7. Evasion Techniques:
    • Executes commands through LOLBins, reducing detection by traditional antivirus.
    • Operates in memory when possible, leaving minimal traces on disk.

Known Indicators of Compromise (IoCs)

Files Hashes (SHA256)

  • 5131dbacb92fce5a59ac92893fa059c16cf8293e9abc26f2a61f9edd
  • 624afe730923440468cae991383dd1f7be1dadf65fa4cb2b21e3e5a9
  • ccf8276b55398030b6b7269136c5ee26a5c422d68793dc9ec5adee79a057c7f4
  • f2196309bc97e22447f6e168a9afbbb4291edd1cca51bf3789939c3618a63ec0
  • 3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271
  • 3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271
  • d207aebf701c7fb44fe06993f020ac3527680c7fa8492a0b5f6154ca

Files Hash (SHA1)

  • 17ac712a84af8e5c7906bff6e1662a5278d33fa36f1c13fcf788

URLs

  • hxxps://1212055764.johncboins[.]com/some/036e91fc8cc899cc20f7e011fa6a0861/sbosf
  • hxxp://36hbhv.johncboins[.]com/fjkabrhhg
  • hxxps://webmail.raysilkman[.]com

Malicious Domains

  • 1212055764.johncboins[.]com
  • 36hbhv.johncboins[.]com
  • webmail.raysilkman[.]com

Email Address

  • fayereed11@gmail[.]com

Registry

  • HKCU\Environment /t 1 /v userinitmprlogonscript /d cscripT -e:jsCript "%APPDATA%\Microsoft\D30F38D93CA9185.txt"

Mitigation and Prevention

  1. User Awareness:
    • Train employees to identify phishing attempts, especially in HR and finance roles.
  2. Email Filtering:
    • Implement email security solutions to detect and block malicious attachments and URLs.
  3. Endpoint Protection:
    • Use up-to-date antivirus and endpoint detection systems.
  4. Network Monitoring:
    • Continuously monitor for unusual network activity, such as connections to malicious domains.
  5. Two-Factor Authentication (2FA):
    • Enforce 2FA to mitigate unauthorized access using stolen credentials.
  6. Regular Updates:
    • Patch operating systems and applications to close known vulnerabilities.
  7. Automated Threat Defense:
    • Leverage platforms like Trend Micro Vision One for real-time monitoring and response.

Conclusion

The More_eggs backdoor highlights the increasing risks posed by Malware-as-a-Service (MaaS) operations. By exploiting social engineering, evasive execution, and versatile payload deployment, attackers effectively infiltrate networks, exfiltrate data, and disrupt operations. The complexity and adaptability of this malware require organizations to adopt a proactive, multi-layered defense strategy combining technology, training, and incident response.

Sources

  1. Trend Micro Blog"MDR in Action: Preventing The More_eggs Backdoor From Hatching"
  2. The Hacker News"More_eggs MaaS Expands Operations with RevC2 Backdoor and Venom Loader"
  3. Anvilogic"More_eggs Malware in Fake Recruitment Campaigns"