Threat Research

MDR in Action: Stopping the More_Eggs Backdoor from Emerging

TrendMicro

Trend Micro MDR used Vision One to detect, isolate, and block a more_eggs backdoor that entered via a spear‑phishing lure delivering a fake resume LNK file. The team created custom detection filters and an automated Security Playbook to contain the infection and remediate affected hosts. #more_eggs #FIN6

Keypoints

  • Spear‑phishing social engineering led a recruiter to download John Cboins.zip which contained John Cboins.lnk that executed obfuscated commands.
  • Execution chain: LNK → deobfuscated cmd commands → ieuinit.inf fetched via HTTP → regsvr32 executed 38804.dll → dropped more_eggs launcher and backdoor executed via msxsl.exe.
  • Persistence was achieved by creating a UserInitMprLogonScript registry value to run the more_eggs launcher at user logon.
  • more_eggs is a JScript backdoor associated with the Golden Chickens toolkit and linked to financially motivated actors like FIN6.
  • Trend Micro Vision One provided process‑chain visibility, enabled creation of custom Filters/Models, and was used to isolate the infected endpoint.
  • A Security Playbook was built using a custom detection model (ie4uinit.exe outside %windir% and external ieuinit.inf) to automate blocking, file collection, sandbox submission, process termination, and endpoint isolation.

MITRE Techniques

  • [T1566] Phishing – Initial access via spear‑phishing: [‘A sophisticated spear‑phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume’]
  • [T1204.002] User Execution: Malicious Link/File – LNK executed by user double‑click: [‘The LNK file contains obfuscated commands, which are passed as parameters to cmd.exe’]
  • [T1027] Obfuscated Files or Information – Use of obfuscation in LNK and command construction: [‘obfuscated command that utilizes string substitution’]
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence via UserInitMprLogonScript: [‘The registry value UserInitMprLogonScript is used to run the more_eggs launcher … when the user logs on to the system’]
  • [T1218] Signed Binary Proxy Execution – Abuse of LOLBins (regsvr32.exe, msxsl.exe, WMIC, ie4uinit.exe) to load and run payloads: [‘results in the download and execution of the malicious 38804.dll via regsvr32.exe’ / ‘executes this with a –basesettings switch via the WMI Command-Line (WMIC) Utility’]
  • [T1047] Windows Management Instrumentation – WMI used for execution and discovery: [‘by executing the following commands via WMI’]
  • [T1071.001] Application Layer Protocol: Web (HTTP/HTTPS) – C2 communication using MSXML IServerXMLHTTPRequest2 over HTTP(S): [‘it communicates with its command-and-control (C&C) server (hxxps://webmail.raysilkman[.]com) via the IServerXMLHTTPRequest2 interface’]
  • [T1059.005] Command and Scripting Interpreter: JavaScript/JScript – more_eggs is a JScript backdoor and executes JScript payloads: [‘More_eggs is a JScript backdoor’]
  • [T1041] Exfiltration Over C2 Channel – Potential data exfiltration via the more_eggs backdoor: [‘Potential data exfiltration through the more_eggs backdoor.’]

Indicators of Compromise

  • [SHA‑256 hashes] Malware/sample artifacts – 5131dbacb92fce5a59ac92893fa059c16cf8293e9abc26f2a61f9edd (John Cboins.zip), 624afe730923440468cae991383dd1f7be1dadf65fa4cb2b21e3e5a9 (John Cboins.lnk), and several other hashes.
  • [URLs] Download and C2 infrastructure – hxxps://1212055764.johncboins[.]com/… (download link for John Cboins.zip), hxxp://36hbhv.johncboins[.]com/fjkabrhhg (ieuinit.inf/SCT), hxxps://webmail.raysilkman[.]com (C2 server).
  • [Email address] Phishing source – fayereed11@gmail[.]com (origin of spear‑phishing email).
  • [Registry] Persistence entry – HKCUEnvironment UserInitMprLogonScript set to run cscripT -e:jsCript “%APPDATA%MicrosoftD30F38D93CA9185.txt”.
  • [File paths / filenames] Dropped/executed files – C:UsersAppDataRoamingAdobe38804.dll (malicious DLL dropped by infection), C:UsersAppDataRoamingMicrosoftD30F38D93CA9185.txt (more_eggs launcher), John Cboins.lnk (initial LNK).

Trend Micro MDR investigated a spear‑phishing incident where a recruiter downloaded John Cboins.zip, opened John Cboins.lnk, and executed obfuscated commands. The LNK built and executed an ieuinit.inf outside %windir%, copied ie4uinit.exe outside the Windows directory, used WMIC to run it, and the SCT fetched a payload from hxxp://36hbhv.johncboins[.]com which led regsvr32.exe to load 38804.dll. That DLL dropped the more_eggs launcher (D30F38D93CA9185.txt), the more_eggs backdoor (765BBCA08C0E9CB6.txt), and msxsl.exe; msxsl.exe subsequently executed the JScript backdoor.

The more_eggs backdoor performs environment and system discovery via WMI (process listings, network adapters, version checks, and periodic typeperf queries) and communicates with its C2 using MSXML IServerXMLHTTPRequest2 to hxxps://webmail.raysilkman[.]com. Persistence was established by writing a UserInitMprLogonScript registry value to run the launcher at user logon, and defense evasion included obfuscation, use of LOLBins (regsvr32.exe, msxsl.exe, WMIC, ie4uinit.exe), and loading components from external URLs.

Using Vision One, MDR created custom Filters detecting ie4uinit.exe copied outside %windir% and suspicious ieuinit.inf files, grouped those Filters into a Custom Model, and used that Model as the Playbook target. The automated Playbook actions included adding objects to blocklists, collecting and submitting files/URLs to sandbox analysis, terminating processes, and isolating endpoints; in testing the playbook completed in 9 minutes 30 seconds and successfully executed all actions, and MDR used endpoint isolation and IOC blocking to contain the live infection.

Read more: https://www.trendmicro.com/en_us/research/24/i/mdr-in-action–preventing-the-moreeggs-backdoor-from-hatching–.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint