More_eggs
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| SKID | (Citation: Crowdstrike GTR2020 Mar 2020) |
| Terra Loader | (Citation: Security Intelligence More Eggs Aug 2019)(Citation: Visa FIN6 Feb 2019) |
| SpicyOmelette | (Citation: Security Intelligence More Eggs Aug 2019) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
More_eggs uses HTTPS for C2.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
More_eggs has used cmd.exe for execution.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: ESET EvilNum July 2020) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
More_eggs has used basE91 encoding, along with encryption, for C2 communication.(Citation: Security Intelligence More Eggs Aug 2019) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
More_eggs has used an RC4-based encryption method for its C2 communications.(Citation: Security Intelligence More Eggs Aug 2019) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
More_eggs can remove itself from a system.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
More_eggs can obtain information on installed anti-malware programs.(Citation: Talos Cobalt Group July 2018) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.(Citation: Security Intelligence More Eggs Aug 2019) |
| Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
More_eggs has used regsvr32.exe to execute the malicious DLL.(Citation: Security Intelligence More Eggs Aug 2019) |
| Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
More_eggs has used HTTP GET requests to check internet connectivity.(Citation: Security Intelligence More Eggs Aug 2019) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0120 | Evilnum |
(Citation: ESET EvilNum July 2020) |
| G0037 | FIN6 |
(Citation: Security Intelligence More Eggs Aug 2019) (Citation: Visa FIN6 Feb 2019) |
| G0080 | Cobalt Group |
(Citation: Talos Cobalt Group July 2018) (Citation: Crowdstrike GTR2020 Mar 2020) |
References
- Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.