More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as Golden Chickens), continues to exploit human trust through meticulously crafted social engineering.

Sold as a Malware-as-a-Service (MaaS) to notorious threat actors like FIN6 and Cobalt Group, this potent JavaScript backdoor primarily targets human resources (HR) departments by masquerading as job application emails.

These seemingly legitimate communications conceal malicious payloads designed to infiltrate systems undetected.

A recent sample, dubbed “Sebastian Hall.zip,” sourced from MalwareBazaar, exemplifies the stealth and sophistication of More_Eggs, revealing a multi-stage infection chain that leverages Windows shortcut (LNK) files, obfuscated scripts, and legitimate system binaries to establish a foothold in targeted environments.

Deceptive Tactics Target HR Departments

According to the Report, Analysis of the Sebastian Hall.zip file uncovers a deceptive blend of a decoy image (b.jpg) and a malicious LNK file (Sebastian Hall.lnk), which serves as the initial vector for infection.

When inspected, the LNK file’s properties reveal a hidden command line executed via cmd.exe, meticulously obfuscated to evade detection.

Tools like LECmd and Exiftool have been instrumental in extracting the full command, which unveils a batch script employing variable fragmentation and syntactic manipulation to construct its payload.

The script launches Microsoft Word as a distraction, while simultaneously writing an encoded configuration file, ieuinit.inf, to the temporary directory (%temp%).

It then copies the legitimate Windows binary ieuinit.exe from %windir%system32 to %temp% and executes it with a suspicious argument like “-basjestings,” triggering further malicious actions.

Dissecting the Attack Chain

The ieuinit.inf file, disguised as a standard Windows INF, contains obfuscated strings and URLs, such as hxxp[://]wfshtl[.]com/abf2iawq, likely pointing to a command-and-control (C2) server or additional payloads.

This intricate process ultimately downloads a heavily obfuscated JavaScript (JS) file, confirmed via Magika analysis, which serves as the core More_Eggs backdoor.

Featuring anti-debugging mechanisms and server-side polymorphism as noted by Arctic Wolf Labs, this JS payload deploys a modular dropper to steal system information and establish persistent communication with C2 servers, often fetching additional scripts or DLLs to deepen the compromise.

The abuse of trusted binaries like ieuinit.exe as a Living Off the Land Binary (LOLBAS) further minimizes detection by blending malicious activity with routine system operations, showcasing the malware’s cunning design.

For organizations, vigilance is critical monitoring for unusual executions of ieuinit.exe from %temp%, inspecting ZIP attachments for LNK files, and flagging unexpected launches of Microsoft Word can help identify and mitigate More_Eggs infections before they escalate into broader breaches.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!