Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at Radical, and in this episode, we’ll be diving into a recent more_eggs campaign that The DFIR report covered.
Hey everyone, Josh Shepard here, Principal Threat Hunter at Radical. Welcome to this edition of the Threat Hunters Corner. Today, we're delving into a recent write-up by The DFIR Report on the More_Eggs malware. This malware-as-a-service (MaaS) variant is particularly intriguing due to its sophisticated infection techniques and use of lesser-known local binaries. Let's break down the campaign and explore some effective detection strategies.
More_Eggs is a backdoor malware that, once executed, provides persistent access to the victim's machine. In this campaign, threat actors employed a clever phishing technique targeting hiring managers. They identified companies with open positions on job boards and sent emails containing a link to a purported resume. This link directed the recipient to a personal website with a download link for a .zip file, which supposedly contained the resume.
However, the .zip file actually contained a malicious .LNK file masquerading as a resume. When clicked, this .LNK file initiated the infection process.
One of the notable aspects of this campaign is the use of the IE4UINIT.EXE binary, a relatively obscure executable in the Windows operating system. This binary is typically involved in setting up user profiles and interacts with the icons database using a .INF file.
The threat actors exploited an insecure feature of IE4UINIT.EXE's handling of .INF files. Upon execution of the .LNK file, a malicious .INF file was generated and the IE4UINIT.EXE binary was copied from the System32 directory to the local user's AppData directory. This allowed the malicious .INF file to be side-loaded.
The .INF file then leveraged Microsoft's ability to load remote COM scriptlets, effectively fetching and executing remote scripts, thus advancing the infection chain.
To detect this activity, consider developing an analytic to monitor for the execution of IE4UINIT.EXE with the -basesettings command line parameter. While there may be some false positives, this combination is relatively rare and should provide a low-noise detection method.
The second local binary exploited in this campaign is MSXSL.EXE, used for XML transformations. The threat actors created a scheduled task to load a malicious XML file using MSXSL.EXE. This XML file contained embedded, obfuscated JavaScript, which was executed by MSXSL.EXE thanks to the msxsl:script element, establishing persistence.
MSXSL.EXE is not commonly used in most environments. Therefore, a broad detection rule for any execution of MSXSL.EXE can be effective. Additionally, monitoring for scheduled tasks that reference .TXT or .XML files, especially those with unusual names, can help identify malicious activity. If your environment does use MSXSL.EXE, you can fine-tune the detection rules to exclude known legitimate use cases.
The More_Eggs malware campaign highlights the innovative techniques threat actors use to exploit lesser-known local binaries. By understanding these methods and implementing targeted detection strategies, we can better defend against such threats.
For a detailed analysis, I highly recommend reading The DFIR Report's write-up on More_Eggs. As always, if you have any questions or comments, feel free to reach out. Stay safe out there, and see you in the next episode of the Threat Hunters Corner.