Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

More_eggs

More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. (Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)
ID: S0284
Associated Software: SKID SpicyOmelette Terra Loader
Type: MALWARE
Platforms: Windows
Version: 3.1
Created: 17 Oct 2018
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
SKID (Citation: Crowdstrike GTR2020 Mar 2020)
SpicyOmelette (Citation: Security Intelligence More Eggs Aug 2019)
Terra Loader (Citation: Security Intelligence More Eggs Aug 2019)(Citation: Visa FIN6 Feb 2019)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

More_eggs uses HTTPS for C2.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

More_eggs has used cmd.exe for execution.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: ESET EvilNum July 2020)

Enterprise T1132 .001 Data Encoding: Standard Encoding

More_eggs has used basE91 encoding, along with encryption, for C2 communication.(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

More_eggs has used an RC4-based encryption method for its C2 communications.(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

More_eggs can remove itself from a system.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.(Citation: ESET EvilNum July 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

More_eggs can obtain information on installed anti-malware programs.(Citation: Talos Cobalt Group July 2018)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

More_eggs has used regsvr32.exe to execute the malicious DLL.(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

More_eggs has used HTTP GET requests to check internet connectivity.(Citation: Security Intelligence More Eggs Aug 2019)

Groups That Use This Software

ID Name References
G0120 Evilnum

(Citation: ESET EvilNum July 2020)

G0037 FIN6

(Citation: Security Intelligence More Eggs Aug 2019) (Citation: Visa FIN6 Feb 2019)

G0080 Cobalt Group

(Citation: Talos Cobalt Group July 2018) (Citation: Crowdstrike GTR2020 Mar 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.