Threat Hunter’s Corner: More_Eggs malware

Welcome 

Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at Radical, and in this episode, we’ll be diving into a recent more_eggs campaign that The DFIR report covered.

RadBot Generated Text Summary 

More_Eggs Aren’t Necessarily Better 

Hey everyone, Josh Shepard here, Principal Threat Hunter at Radical. Welcome to this edition of the Threat Hunters Corner. Today, we're delving into a recent write-up by The DFIR Report on the More_Eggs malware. This malware-as-a-service (MaaS) variant is particularly intriguing due to its sophisticated infection techniques and use of lesser-known local binaries. Let's break down the campaign and explore some effective detection strategies. 

Understanding More_Eggs Malware 

More_Eggs is a backdoor malware that, once executed, provides persistent access to the victim's machine. In this campaign, threat actors employed a clever phishing technique targeting hiring managers. They identified companies with open positions on job boards and sent emails containing a link to a purported resume. This link directed the recipient to a personal website with a download link for a .zip file, which supposedly contained the resume. 

However, the .zip file actually contained a malicious .LNK file masquerading as a resume. When clicked, this .LNK file initiated the infection process. 

Exploiting Local Binaries 

IE4UINIT.EXE 

One of the notable aspects of this campaign is the use of the IE4UINIT.EXE binary, a relatively obscure executable in the Windows operating system. This binary is typically involved in setting up user profiles and interacts with the icons database using a .INF file. 

The threat actors exploited an insecure feature of IE4UINIT.EXE's handling of .INF files. Upon execution of the .LNK file, a malicious .INF file was generated and the IE4UINIT.EXE binary was copied from the System32 directory to the local user's AppData directory. This allowed the malicious .INF file to be side-loaded. 

The .INF file then leveraged Microsoft's ability to load remote COM scriptlets, effectively fetching and executing remote scripts, thus advancing the infection chain. 

Detection Strategy for IE4UINIT.EXE 

To detect this activity, consider developing an analytic to monitor for the execution of IE4UINIT.EXE with the -basesettings command line parameter. While there may be some false positives, this combination is relatively rare and should provide a low-noise detection method. 

MSXSL.EXE 

The second local binary exploited in this campaign is MSXSL.EXE, used for XML transformations. The threat actors created a scheduled task to load a malicious XML file using MSXSL.EXE. This XML file contained embedded, obfuscated JavaScript, which was executed by MSXSL.EXE thanks to the msxsl:script element, establishing persistence. 

Detection Strategy for MSXSL.EXE 

MSXSL.EXE is not commonly used in most environments. Therefore, a broad detection rule for any execution of MSXSL.EXE can be effective. Additionally, monitoring for scheduled tasks that reference .TXT or .XML files, especially those with unusual names, can help identify malicious activity. If your environment does use MSXSL.EXE, you can fine-tune the detection rules to exclude known legitimate use cases. 

Conclusion 

The More_Eggs malware campaign highlights the innovative techniques threat actors use to exploit lesser-known local binaries. By understanding these methods and implementing targeted detection strategies, we can better defend against such threats. 

For a detailed analysis, I highly recommend reading The DFIR Report's write-up on More_Eggs. As always, if you have any questions or comments, feel free to reach out. Stay safe out there, and see you in the next episode of the Threat Hunters Corner. 

Sources: 

• The DFIR Report on More_Eggs Malware