The More_Eggs malware, a sophisticated JavaScript backdoor operated by the financially motivated Venom Spider (also known as Golden Chickens) threat group, has emerged as a significant threat to corporate environments.

This backdoor is particularly concerning as it’s distributed through a Malware-as-a-Service (MaaS) model to various threat actors, including notorious groups like FIN6 and Cobalt Group.

The malware targets human resources departments by exploiting the inherent trust placed in job application emails, turning what appears to be legitimate candidate correspondence into dangerous attack vectors.

These attacks begin with seemingly innocent job applications containing ZIP file attachments. The archive typically includes a decoy image to create an appearance of legitimacy, alongside a malicious Windows shortcut (LNK) file.

When triggered, this shortcut initiates a complex chain of events that ultimately deploys the More_Eggs backdoor, giving attackers remote access to compromised systems and potential entry points into corporate networks.

Denwp Research analysts identified a recent More_Eggs sample named “Sebastian Hall.zip” that exemplifies this threat group’s techniques.

Upon analysis, researchers discovered the sample contains both a decoy image (b.jpg) and a malicious LNK file (Sebastian Hall.lnk) that executes heavily obfuscated commands when opened.

The researchers noted that this social engineering approach effectively circumvents human vigilance by appearing as routine job application material.

The impact of More_Eggs extends beyond initial compromise, as the backdoor provides attackers with capabilities to harvest system information, deploy additional payloads, and establish persistence.

This creates significant risk for organizations, particularly those with high-volume HR operations processing numerous job applications daily.

The malware’s polymorphic nature ensures each victim receives a unique payload, complicating detection efforts by traditional security tools.

Infection Mechanism Analysis

The infection chain begins when a victim opens the malicious LNK file, triggering the execution of a complex, obfuscated command line sequence.

Tools like LECmd can reveal the true nature of these commands that would otherwise appear truncated in Windows properties dialog.

/v /c start "" "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" & (for %f in ("peric=s" "tartarly=e" "unvoyagingu=al" ) do @set %~f) && !peric!et " jugs=e" && c!unvoyagingu!l s!tartarly!t " colberte=c"

This obfuscated command employs variable substitution techniques to construct and execute commands while evading detection.

The script launches Microsoft Word as a decoy to distract the victim while conducting malicious activities in the background.

Through variable manipulation, it builds a command to create a configuration file named ieuinit.inf in the Windows temporary directory.

The ieuinit.inf file mimics a legitimate Windows INF file structure but contains encoded data, including command and control (C2) URLs and operational instructions.

Most critically, the script copies a legitimate Windows binary, ieuinit.exe, from the Windows system directory to the temporary directory, then executes it with a special parameter:-

xcopy /Y /C /Q %windir%\system32\ieuinit.exe "%temp%"
start "" %temp%\ieuinit.exe -basjestings

This technique, known as living-off-the-land, allows the malware to leverage trusted system files for malicious purposes.

When executed with the appropriate arguments, ieuinit.exe processes the malicious configuration file, downloads a heavily obfuscated JavaScript file from a remote server, and ultimately establishes the More_Eggs backdoor on the victim’s system.

The JavaScript payload employs advanced anti-analysis techniques and server-side polymorphism to generate unique code for each victim, significantly complicating detection efforts by traditional security tools and analysts.

Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free