SYMBOLCOMMON_NAMEaka. SYNONYMS
js.more_eggs (Back to overview)

More_eggs

aka: SpicyOmelette, SKID

Actor(s): Cobalt, FIN6, VENOM SPIDER


More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:
- d&exec = download and execute PE file
- gtfo = delete files/startup entries and terminate
- more_eggs = download additional/new scripts
- more_onion = run new script and terminate current script
- more_power = run command shell commands

References
2020-04-07SecurityIntelligenceOle Villadsen
@online{villadsen:20200407:itg08:b0b782d, author = {Ole Villadsen}, title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}}, date = {2020-04-07}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/}, language = {English}, urldate = {2020-04-13} } ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2019-08-29Security IntelligenceOle Villadsen, Kevin Henson, Melissa Frydrych, Joey Victorino
@online{villadsen:20190829:moreeggs:8ff7351, author = {Ole Villadsen and Kevin Henson and Melissa Frydrych and Joey Victorino}, title = {{More_eggs, Anyone? Threat Actor ITG08 Strikes Again}}, date = {2019-08-29}, organization = {Security Intelligence}, url = {https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/}, language = {English}, urldate = {2020-01-13} } More_eggs, Anyone? Threat Actor ITG08 Strikes Again
More_eggs FIN6
2019-06-04BitdefenderBitdefender
@techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike
2019-02-21ProofpointProofpoint Threat Insight Team
@online{team:20190221:fake:e94f77a, author = {Proofpoint Threat Insight Team}, title = {{Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers}}, date = {2019-02-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers}, language = {English}, urldate = {2019-12-20} } Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers
More_eggs
2018-10-17MITRE ATT&CKMITRE
@online{mitre:20181017:software:84822e8, author = {MITRE}, title = {{Software Description: More_eggs}}, date = {2018-10-17}, organization = {MITRE ATT&CK}, url = {https://attack.mitre.org/software/S0284/}, language = {English}, urldate = {2020-01-10} } Software Description: More_eggs
More_eggs
2018-10-08MorphisecMichael Gorelik
@online{gorelik:20181008:cobalt:dece0e0, author = {Michael Gorelik}, title = {{Cobalt Group 2.0}}, date = {2018-10-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/cobalt-gang-2.0}, language = {English}, urldate = {2020-01-05} } Cobalt Group 2.0
More_eggs
2018-09-27SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20180927:cybercriminals:a7f1c24, author = {Counter Threat Unit ResearchTeam}, title = {{Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish}}, date = {2018-09-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish}, language = {English}, urldate = {2020-01-08} } Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish
More_eggs Cobalt
2018-08-30NetScoutASERT Team
@online{team:20180830:double:e5d9e22, author = {ASERT Team}, title = {{Double the Infection, Double the Fun}}, date = {2018-08-30}, organization = {NetScout}, url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/}, language = {English}, urldate = {2020-01-08} } Double the Infection, Double the Fun
More_eggs CobInt
2018-07-31Cisco TalosVanja Svajcer
@online{svajcer:20180731:multiple:15a3457, author = {Vanja Svajcer}, title = {{Multiple Cobalt Personality Disorder}}, date = {2018-07-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html}, language = {English}, urldate = {2019-12-15} } Multiple Cobalt Personality Disorder
More_eggs
2018-03-02ReaqtaReaqta
@online{reaqta:20180302:spearphishing:3d933a4, author = {Reaqta}, title = {{Spear-phishing campaign leveraging on MSXSL}}, date = {2018-03-02}, organization = {Reaqta}, url = {https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/}, language = {English}, urldate = {2020-01-08} } Spear-phishing campaign leveraging on MSXSL
More_eggs
2017-11-20Trend MicroRonnie Giagone, Lenart Bermejo, Fyodor Yarochkin
@online{giagone:20171120:cobalt:fb5c2ed, author = {Ronnie Giagone and Lenart Bermejo and Fyodor Yarochkin}, title = {{Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks}}, date = {2017-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/}, language = {English}, urldate = {2019-10-29} } Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks
More_eggs Cobalt
2017-08-07Trend MicroLenart Bermejo, Ronnie Giagone, Rubio Wu, Fyodor Yarochkin
@online{bermejo:20170807:backdoorcarrying:317ebe3, author = {Lenart Bermejo and Ronnie Giagone and Rubio Wu and Fyodor Yarochkin}, title = {{Backdoor-carrying Emails Set Sights on Russian-speaking Businesses}}, date = {2017-08-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/}, language = {English}, urldate = {2020-01-09} } Backdoor-carrying Emails Set Sights on Russian-speaking Businesses
More_eggs

There is no Yara-Signature yet.