A more_eggs Malware Infection From Recruitment Scams

Cyber threat activity involving the more_eggs malware, identified as part of the Golden Chickens malware-as-a-service (MaaS) toolkit, continues to impact victims through its current campaigns that revolve around recruitment themes. Analysis from Trend Micro threat and incident response analysts reports that the MaaS toolkit has been leveraged by threat actors, including FIN6 and the Cobalt Group. These actors are financially motivated and have historically targeted business verticals in financial services and retail. In examining the current campaign, the malware predominantly impacts industries linked to hiring processes. No direct attribution is made to the MaaS; however, Trend Micro analysts note, "Recent reports and analysis suggest that FIN6 has adapted its methods, moving from posing as fake recruiters to now masquerading as fake job applicants. While this connection is not definitive, the observed methods in the first infection align with patterns associated with FIN6," indicating a strategic evolution in their modus operandi.

The infection process of the more_eggs malware begins with the downloading of a deceptive zip file through a URL, the origin of which was not determined. The archive file contains a .lnk shortcut laden with obfuscated commands that trigger cmd.exe when the shortcut is activated. Commands issued include the use of xcopy to copy ieuinit.inf from the "%windir%\system32" directory to "%localappdata%\temp." WMIC is then used to call the copied ieuinit.inf binary. This sequence facilitates the download of a DLL that subsequently fetches further malicious payloads from a remote server, including both the more_eggs launcher and backdoor. The DLL is downloaded into the AppData\Roaming\Adobe directory and is triggered by regsvr32. The malware establishes persistence through registry modifications in the HKCU\Environment registry as the "registry value UserInitMprLogonScript is used to run the more_eggs launcher" by calling cscript.exe. Windows Management Instrumentation (WMI) is used for environment reconnaissance, gathering detailed system, network, and process information critical for maintaining its foothold within compromised systems.

The indicators present in the attack chain enabled Trend Micro to block the activity and isolate the host. Tracking the more_eggs campaigns, they have been active since 2017. The malware toolkit is promoted in underground forums. "Submissions on VirusTotal from August 1 to September 10 of LNK files with similar behavior suggest that there could be a recent or ongoing campaign leveraging the Golden Chickens suite," reports Trend Micro. The recent activity has all been found to leverage social engineering as part of its lure.