{ "name": "MDR in Action: Preventing The More_eggs Backdoor From Hatching", "slug": "mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching", "description": "A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when opened. This resulted in the download and execution of the more_eggs backdoor. The malware performed system checks and communicated with a command-and-control server. Trend Micro's MDR team quickly identified and contained the threat using Vision One platform, isolating the infected host and blocking indicators. The incident is part of a broader campaign using the Golden Chickens malware toolkit, with two variations observed targeting various industries, particularly those with financial resources.", "published": "2024-10-01T08:12:41+00:00", "created_at": "2024-10-01T08:12:41+00:00", "modified_at": "2024-10-01T08:22:35+00:00", "created_at_opencti": "2024-10-01T08:12:41+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-10-01", "backdoor", "golden chickens", "malware-as-a-service", "mdr", "more_eggs", "recruitment", "skid", "spear-phishing", "spicyomelette", "terra loader", "vision one" ], "related_entities": { "observables": [ { "id": "", "name": "https://webmail.raysilkman.com" }, { "id": "", "name": "https://1212055764.johncboins.com/some/036e91fc8cc899cc20f7e011fa6a0861/sbosf" }, { "id": "", "name": "http://36hbhv.johncboins.com/fjkabrhhg." }, { "id": "", "name": "http://36hbhv.johncboins.com/fjkabrhhg" }, { "id": "", "name": "webmail.raysilkman.com" }, { "id": "", "name": "36hbhv.johncboins.com" }, { "id": "", "name": "1212055764.johncboins.com" }, { "id": "", "name": "f2196309bc97e22447f6e168a9afbbb4291edd1cca51bf3789939c3618a63ec0" }, { "id": "", "name": "ccf8276b55398030b6b7269136c5ee26a5c422d68793dc9ec5adee79a057c7f4" }, { "id": "", "name": "3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271" } ], "malware": [ { "id": "legacy:malware:a38bde94fc6d9eed", "name": "SpicyOmelette", "slug": "spicyomelette" }, { "id": "legacy:malware:4e6f4643ad659c00", "name": "Terra Loader", "slug": "terra-loader" }, { "id": "legacy:malware:cfc1e90d72b7fa19", "name": "SKID", "slug": "skid" }, { "id": "819de08e-90ff-4114-b86e-6bc32942a4a3", "name": "More_eggs - S0284", "slug": "more_eggs-s0284" } ], "intrusion_sets": [ { "id": "98db815f-9544-42d1-bca7-70dee985fb1c", "name": "FIN6", "slug": "fin6" } ], "attack_patterns": [ { "id": "a58c2bff-7d90-4816-93fd-aa0b6beca12e", "name": "T1124" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" } ], "others": [ { "id": "", "name": "Russian Federation" }, { "id": "", "name": "Engineering" }, { "id": "", "name": "Hospitality" }, { "id": "", "name": "Finance" } ] }, "external_refs": [ "https://www.trendmicro.com/en_us/research/24/i/mdr-in-action--preventing-the-moreeggs-backdoor-from-hatching--.html", "https://otx.alienvault.com/pulse/66fbcb1a0aac4a924b1d849c" ] }