MDR in Action: Preventing The More_eggs Backdoor From Hatching | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/mdr-in-action--preventing-the-moreeggs-backdoor-from-hatching--.html\"><br \/>\n<meta property=\"og:title\" content=\"MDR in Action: Preventing The More_eggs Backdoor From Hatching \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/MDR_More_eggs_Backdoor-Thumbnail.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"MDR in Action: Preventing The More_eggs Backdoor From Hatching \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/MDR_More_eggs_Backdoor-Thumbnail.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.509194842026\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"896037921\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.7911832946636\">\n<div class=\"article-details\" role=\"heading\" readability=\"39.164733178654\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">Trend Micro MDR (Managed Detection and Response) team promptly mitigated a more_eggs infection. Using Vision One, MDR illustrated how Custom Filters\/Models and Security Playbook can be used to automate the response to more_eggs and similar threats.<\/p>\n<p class=\"article-details__author-by\">By: Ryan Soliven, Maria Emreen Viray, Fe Cureg <time class=\"article-details__date\">September 30, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"35.624511082138\">\n<div readability=\"16.822685788787\">\n<h4>Summary <\/h4>\n<ul>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Trend Micro MDR (Managed Detection and Response) team leveraged the Vision One platform to isolate the infected endpoint and block the corresponding IOCs, effectively containing the infection. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">It was demonstrated that custom Filters\/Models tailored to detect the threat can be created on Vision One. These models can then be fed to a Security Playbook to automate response to an alert. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Our analysis revealed that this incident is associated with recent campaigns that have been launched leveraging the more_eggs malware, which is part of Golden Chicken toolkit. <\/span><\/li>\n<\/ul>\n<p> A customer\u2019s talent search led to their recruitment officer downloading a fake resume and inadvertently executing a malicious .LNK file, resulting in a more_eggs infection (Figure 1). More_eggs is a JScript backdoor that belongs to the Golden Chickens malware-as-a-service (MaaS) toolkit. It\u2019s known to be used by financially motivated threat actors such as <a href=\"https:\/\/attack.mitre.org\/groups\/G0080\/\" target=\"_blank\" rel=\"noopener\">FIN6<\/a> and the <a href=\"https:\/\/attack.mitre.org\/groups\/G0080\/\" target=\"_blank\" rel=\"noopener\">Cobalt Group<\/a> to target financial and retail institutions. It communicates with a fixed command-and-control (C&C) server to download and execute additional payload, such as an infostealer and ransomware. <\/p>\n<p>Using the Vision One platform, Trend Micro MDR (Managed Detection and Response) team quickly identified and contained the threat, preventing potential data exfiltration or encryption. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"fcd63e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig1.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig1.png\" alt=\"Figure 1. Infection diagram \"> <\/a> <\/p>\n<p><figcaption>Figure 1. Infection diagram <\/figcaption><\/p>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<h4>Technical details <\/h4>\n<h5><b>Initial access <\/b><\/h5>\n<p>A spear-phishing email was initially sent from allegedly from \u201cJohn Cboins\u201d using a Gmail address to a senior executive at the company (Figure 2). The email contained no attachments or URLs. Further investigation revealed that a reply had been sent to the email, but there were no notable events chaining from it. At this point, we suspect that the threat actor was attempting to gain the user’s confidence. <\/p>\n<p>Figure 2 was obtained from the customer’s Vision One instance using the following: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Search method: Email and Collaboration Activity data <\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Search query: *John Cboins* <\/b><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"2fd840\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig2.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig2-2.PNG\" alt=\"Figure 2. Spear-phishing email \"> <\/a> <\/p>\n<p><figcaption>Figure 2. Spear-phishing email <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>Shortly after, a recruitment officer downloaded a supposed resume, John Cboins.zip, from a URL using Google Chrome (Figure 3). It was not determined where this user obtained the URL. However, it was clear from both users\u2019 activities that they were looking for an inside sales engineer. <\/p>\n<p>Figure 3 was obtained from the customer’s Vision One instance using the following: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Search method: Endpoint Activity data <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Search query: eventSubId: 603 AND *John Cboins* <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"e28137\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig3.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig3.jpg\" alt=\"Figure 3. Fake resume\"> <\/a> <\/p>\n<p><figcaption>Figure 3. Fake resume<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The URL was still accessible during the time of our analysis. It appears to be a typical website of a job applicant (Figure 4) that even utilizes a CAPTCHA test (Figure 5). At first glance, there seems to be nothing suspicious about the website, which could easily deceive an unsuspecting recruitment officer. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"c2e6ea\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig4.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig4.png\" alt=\"Figure 4. Personal website of a fictitious \u201cJohn Cboins\u201d \"> <\/a> <\/p>\n<p><figcaption>Figure 4. Personal website of a fictitious \u201cJohn Cboins\u201d <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"1194ee\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig5.png\" alt=\"Figure 5. Usage of CAPTCHA \"> <\/a> <\/p>\n<p><figcaption>Figure 5. Usage of CAPTCHA <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<h5><b>Execution <\/b><\/h5>\n<p>Inside the ZIP file is John Cboins.lnk and 6.jpeg, as shown in Figure 6. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"2f8866\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig6.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig6.png\" alt=\"Figure 6. Contents of John Cboins.zip \"> <\/a> <\/p>\n<p><figcaption>Figure 6. Contents of John Cboins.zip <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The LNK file contains obfuscated commands, which are passed as parameters to cmd.exe (Figure 7). These obfuscated commands are executed when the user double-clicks on the LNK file. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"246b05\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig7.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig7.png\" alt=\"Figure 7. John Cboins.lnk containing obfuscated commands \"> <\/a> <\/p>\n<p><figcaption>Figure 7. John Cboins.lnk containing obfuscated commands <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.100397614314\">\n<div readability=\"14.918489065606\">\n<h5><b>Defense evasion <\/b><\/h5>\n<p>Once deobfuscated, its behavior becomes apparent, as shown in Figure 8: It creates ieuinit.inf outside %windir% (Figure 9), which contains the location of a script component (SCT) file, hxxp:\/\/36hbhv.johncboins[.]com\/fjkabrhhg. It also copies ie4uinit.exe, the IE Per-User Initialization Utility, outside %windir% and executes this with a \u2013basesettings switch via the WMI Command-Line (WMIC) Utility. The usage of this LOLBin has been previously <a href=\"https:\/\/bohops.com\/2018\/03\/10\/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2\/\" target=\"_blank\" rel=\"noopener\">documented by security researchers<\/a>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"cb140d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig8.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig8.png\" alt=\"Figure 8. Deobfuscated command \"> <\/a> <\/p>\n<p><figcaption>Figure 8. Deobfuscated command <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"cee45e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig9.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig9.png\" alt=\"Figure 9. ieuinit.inf \"> <\/a> <\/p>\n<p><figcaption>Figure 9. ieuinit.inf <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"26.179054054054\">\n<div readability=\"6.6486486486486\">\n<p>The resulting process chain that originates from the execution of John Cboins.lnk can be clearly seen using <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Vision One\u2122<\/a> (Figure 10). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"c80dcc\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig10.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig10.jpg\" alt=\"Figure 10. Resulting process chain originating from the execution of John Cboins.lnk \"> <\/a> <\/p>\n<p><figcaption>Figure 10. Resulting process chain originating from the execution of John Cboins.lnk <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Execution of the SCT code from hxxp:\/\/36hbhv.johncboins[.]com\/fjkabrhhg results in the download and execution of the malicious 38804.dll via regsvr32.exe, the Microsoft Register Server (Figure 11). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"d14002\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig11.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig11.png\" alt=\"Figure 11. Execution of the SCT code from Vision One AMSI telemetry data \"> <\/a> <\/p>\n<p><figcaption>Figure 11. Execution of the SCT code from Vision One AMSI telemetry data <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>This DLL file is responsible for dropping the more_eggs launcher (D30F38D93CA9185.txt) and the more_eggs backdoor (765BBCA08C0E9CB6.txt), shown below in Figure 12. It also drops msxsl.exe, a legitimate binary known as Microsoft\u2019s Command Line Transformation Utility, which is used to execute the more_eggs backdoor (Figure 13). <\/p>\n<p>Figure 12 was obtained from the customer’s Vision One instance using the following: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Search method: Endpoint Activity data <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Search query: eventSubId:101 AND processCmd:*38804.dll* <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"7\">\n<figure class=\"image-figure\" readability=\"4\"> <a id=\"b7a390\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig12.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig12.jpg\" alt=\"Figure 12. Creation of D30F38D93CA9185.txt, 765BBCA08C0E9CB6.txt, and msxsl.exe by 38804.dll \"> <\/a> <\/p>\n<p><figcaption>Figure 12. Creation of D30F38D93CA9185.txt, 765BBCA08C0E9CB6.txt, and msxsl.exe by 38804.dll <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>Figure 13 was obtained from the customer’s Vision One instance using the following: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Search method: Endpoint Activity data <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Search query: eventSubId: 2 AND (processCmd:*msxsl.exe* OR objectCmd:*msxsl.exe*) <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"e3c4c8\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig13.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig13.jpg\" alt=\"Figure 13. Execution of 765BBCA08C0E9CB6.txt by msxsl.exe \"> <\/a> <\/p>\n<p><figcaption>Figure 13. Execution of 765BBCA08C0E9CB6.txt by msxsl.exe <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<h5><b>Persistence <\/b><\/h5>\n<p>The DLL file also creates a persistence under HKCU\\Environment, as shown in Figure 14. The registry value UserInitMprLogonScript is used to run the more_eggs launcher (D30F38D93CA9185.txt) using cscript.exe, the Microsoft Console Based Script Host, when the user logs on to the system (Figure 15). This is a legacy feature of Windows, particularly in Active Directory environments, that allows administrators to define a logon script that runs when a user session starts. This behavior can also be clearly seen using Vision One (Figure 16). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"772c9b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig14.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig14.png\" alt=\"Figure 14. Creation of registry persistence \"> <\/a> <\/p>\n<p><figcaption>Figure 14. Creation of registry persistence <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <a id=\"911713\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig15.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig15.png\" alt=\"Figure 15. The more_eggs launcher, D30F38D93CA9185.txt \"> <\/a> <\/p>\n<p><figcaption>Figure 15. The more_eggs launcher, D30F38D93CA9185.txt <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"62b35f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig16.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig16.jpg\" alt=\"Figure 16. Resulting process chain originating from the execution of 38804.dll \"> <\/a> <\/p>\n<p><figcaption>Figure 16. Resulting process chain originating from the execution of 38804.dll <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<h5><b>Discovery <\/b><\/h5>\n<p>The more_eggs backdoor (765BBCA08C0E9CB6.txt) initially checks its environment to determine if it is running with admin or user privileges. It also checks whether proper components are installed by querying the entities shown in Figure 17. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"bd18de\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig17.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig17.jpg\" alt=\"Figure 17. Initial environment check \"> <\/a> <\/p>\n<p><figcaption>Figure 17. Initial environment check <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>It also performs a system awareness check (Figure 18) by executing the following commands via WMI: <span><\/span><\/p>\n<ul readability=\"0.5\">\n<li><span class=\"rte-red-bullet\">Queries the version of notepad.exe <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Returns a list of IP addresses for enabled network adapters on the system <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Retrieves a list of all running processes on the system <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Retrieves the default startup configuration for processes <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Retrieves information about the processes <\/span><\/li>\n<li readability=\"4\">\n<p>Executes a performance monitoring command using typeperf.exe, a command line performance monitor, that checks how many processes are waiting for CPU time every 120 seconds, capturing it once. The 120-second interval is most likely used for defense evasion. <\/p>\n<\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"13ac39\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig18.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig18.jpg\" alt=\"Figure 18. System awareness check \"> <\/a> <\/p>\n<p><figcaption>Figure 18. System awareness check <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<h5><b>Command and control <\/b><\/h5>\n<p>Afterwards, it communicates with its command-and-control (C&C) server (hxxps:\/\/webmail.raysilkman[.]com) via the IServerXMLHTTPRequest2 interface provided by the Microsoft XML (MSXML) library, shown in Figures 19 and 20. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"863e10\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig19.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig19.jpg\" alt=\"Figure 19. C&C communication via IServerXMLHTTPRequest2 \"> <\/a> <\/p>\n<p><figcaption>Figure 19. C&C communication via IServerXMLHTTPRequest2 <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"83e0ed\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig20.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig20.jpg\" alt=\"Figure 20. C&C communication originating from msxsl.exe \"> <\/a> <\/p>\n<p><figcaption>Figure 20. C&C communication originating from msxsl.exe <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"30.48275862069\">\n<div readability=\"9.3793103448276\">\n<p>Trend MDR quickly responded by isolating the infected host through Vision One <a href=\"https:\/\/docs.trendmicro.com\/en-us\/documentation\/article\/trend-vision-one-isolate-network-endpoints\" target=\"_blank\" rel=\"noopener\">Endpoint Isolation<\/a> (Figure 21). An isolated endpoint will have all its ports blocked, except for the ports that it uses to communicate with Vision One. This is a quick and effective way to contain an infection. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"b04b61\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig21.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig21.jpg\" alt=\"Figure 21. Vision One Endpoint Isolation \"> <\/a> <\/p>\n<p><figcaption>Figure 21. Vision One Endpoint Isolation <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Additionally, some of the indicators that were initially observed were blocked, thereby protecting other endpoints without waiting for an official solution \u2013 such as an anti-malware pattern \u2013 to be released (Figure 22). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"c36958\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig22.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig22.jpg\" alt=\"Figure 22. Response actions\"> <\/a> <\/p>\n<p><figcaption>Figure 22. Response actions<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"43.094048493755\">\n<div readability=\"32.925789860397\">\n<h4>Campaigns <\/h4>\n<p>More_eggs has been observed in attacks as early as 2017. Trend Micro\u2019s <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/17\/h\/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html\" target=\"_blank\" rel=\"noopener\">research<\/a> details its use against Russian businesses, including financial institutions and mining firms. These attacks typically involved phishing schemes with malicious documents (.doc, .xls) that contained JavaScript and PowerShell scripts. <\/p>\n<p>In 2019, IBM X-Force IRIS also <a href=\"https:\/\/securityintelligence.com\/posts\/more_eggs-anyone-threat-actor-itg08-strikes-again\/\" target=\"_blank\" rel=\"noopener\">reported<\/a> on more_eggs targeting multinational organizations, where attackers used LinkedIn and email to lure employees with fake job offers, leading them to malicious domains. These domains hosted ZIP files containing a Windows Script File (WSF) that triggered the infection. <\/p>\n<p>A 2023 <a href=\"https:\/\/www.securonix.com\/blog\/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite\/\" target=\"_blank\" rel=\"noopener\">report<\/a> by Securonix Threat Research found more_eggs targeting individuals in the financial sector. Phishing emails led victims to download ZIP files disguised as images, initiating the infection. As recently as June 2024, eSentire\u2019s Threat Response Unit <a href=\"https:\/\/www.esentire.com\/blog\/more-eggs-activity-persists-via-fake-job-applicant-lures\" target=\"_blank\" rel=\"noopener\">reported<\/a> that attackers were posing as job applicants on LinkedIn, leading recruiters to a fake resume site where a malicious LNK file was downloaded and caused an infection. <\/p>\n<p>The attack described in this blog entry also appears to be part of a campaign using the more_eggs malware, which is part of the Golden Chickens toolkit. The toolkit is distributed by Venom Spider, an underground malware-as-a-service (MaaS) provider also known as <a href=\"https:\/\/www.esentire.com\/web-native-pages\/unmasking-venom-spider)\" target=\"_blank\" rel=\"noopener\">badbullzvenom<\/a>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<h5><b>Campaign variations <\/b><\/h5>\n<p>Submissions on VirusTotal from August 1 to September 10 of LNK files with similar behavior suggest that there could be a recent or ongoing campaign leveraging the Golden Chickens suite. Based on these VirusTotal samples, we can see two variations of this campaign (Figure 23). The case detailed earlier in this blog entry appears to be related to Campaign 2. Both campaigns, however, utilize social engineering tactics based on published reports. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"badce3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig23.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig23.png\" alt=\"Figure 23. Similar LNK submissions \"> <\/a> <\/p>\n<p><figcaption>Figure 23. Similar LNK submissions <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\">\n<div>\n<p><b>Campaign 1 <\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">LNK file naming: Typically named after a screenshot or document, though names may vary (Figure 24). <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Obfuscation method: Uses string substitution for obfuscation (Figure 25). This method builds complex commands by substituting parts of the command with predefined variables. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Additional scripts: Includes other scripts such as PS1, VBS, and the like in the attack chain. <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"f2db9a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig24.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig24.png\" alt=\"Figure 24. LNK file naming disguised as screenshot or document \"> <\/a> <\/p>\n<p><figcaption>Figure 24. LNK file naming disguised as screenshot or document <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"23adc9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig25.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig25.png\" alt=\"Figure 25. Obfuscated command that utilizes string substitution \"> <\/a> <\/p>\n<p><figcaption>Figure 25. Obfuscated command that utilizes string substitution <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Another identified victim belongs to the hospitality industry. In this case, the attack involved an ActiveX Control file C:\\Users\\<user>\\AppData\\Roaming\\64221.ocx, and appears related to Campaign 1. <\/p>\n<p><b>Campaign 2 <\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">LNK file naming: Named after a person (Figure 26). <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Obfuscation method: Utilizes variable substitution for obfuscation (Figure 27). This method replaces placeholders with specific values to form the final command. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Additional scripts: Does not use PS1, VBS, and the like in the infection chain. <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"823364\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig26.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig26.png\" alt=\"Figure 26. LNK File naming named after a name of a person \"> <\/a> <\/p>\n<p><figcaption>Figure 26. LNK File naming named after a name of a person <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"80ad53\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig27.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig27.png\" alt=\"Figure 27. Obfuscated command that utilizes variable substitution \"> <\/a> <\/p>\n<p><figcaption>Figure 27. Obfuscated command that utilizes variable substitution <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"39.786982248521\">\n<div readability=\"26.201183431953\">\n<h4>Victimology <\/h4>\n<p>The targeted industries vary, but there appears to be a common thread: the victims are often connected to financial resources or are in roles that attackers could leverage to identify valuable assets and have higher potential for financial gain. For example, the Securonix <a href=\"https:\/\/www.securonix.com\/blog\/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite\/\" target=\"_blank\" rel=\"noopener\">report<\/a> from last year that resembles Campaign 1 targeted individuals related to the financial sector, while reports from <a href=\"https:\/\/securityintelligence.com\/posts\/more_eggs-anyone-threat-actor-itg08-strikes-again\/\" target=\"_blank\" rel=\"noopener\">IBM X-Force IRIS<\/a> and <a href=\"http:\/\/esentire\/\" target=\"_blank\" rel=\"noopener\">eSentire<\/a> that appear to align with Campaign 2 targeted recruiters in multinational organizations. <\/p>\n<p>In our current case, the victim is from the engineering sector and works in a hiring role as a talent search lead, while the fake applicant targeted a sales engineer position, which suggests the attackers may aim for roles that could offer substantial financial benefits. <\/p>\n<p>In the other infection that involved a victim in the hospitality industry, which occurred a week after our case, the specific role of the victim is unclear, but both cases share similar C&C infrastructure. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39\">\n<div readability=\"23\">\n<h4>Attribution <\/h4>\n<p>Attributing these attacks is challenging due to the nature of MaaS, which allows for the outsourcing of various attack components and infrastructure. This makes it difficult to pin down specific threat actors, as multiple groups can use the same toolkits and infrastructure provided by services like those offered by Golden Chickens. <\/p>\n<p>However, the tactics, techniques, and procedures (TTPs) we observe indicate that the first infection could be linked to FIN6, a threat group with a history of targeting financial institutions and has shown a pattern of shifting tactics over time. Recent reports and analysis suggest that FIN6 has adapted its methods, moving from posing as fake recruiters to now masquerading as fake job applicants. While this connection is not definitive, the observed methods in the first infection align with patterns associated with FIN6. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.5\">\n<div readability=\"28\">\n<h4>Vision One Security Playbook <\/h4>\n<p>Though more_eggs is a known malware that should have been taken care of by traditional anti-malware solutions, threat actors are always coming up with creative ways to infect hosts. Due to many factors \u2013 including an organization\u2019s operational needs, human fallibility, and potential misconfigurations \u2013 there\u2019s always a risk of such an incident happening. For Trend Micro MDR customers, this should not be a problem as security experts are monitoring the network non-stop. But in cases where it may not be feasible to have a set of eyes watching the alerts round-the-clock, a solution is using a Vision One Security Playbook. This allows customers to automate a wide variety of actions, so they can spend less time manually responding to alerts and free up more time for other important matters. <\/p>\n<p>To create an Automated Response Playbook, the following elements are required: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Trigger – Automatic or manual (executed from Workbench) <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Target – Detection Model (collection of rules that detects suspicious\/malicious behavior) or Highlighted Objects (SHA-1, URL, domain, IP address, host) <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Action – Add objects to block list, quarantine\/delete emails, collect files, submit files\/URLs to Sandbox Analysis, terminate process <\/span><\/li>\n<\/ul>\n<p>In this particular incident, the <b>Trigger<\/b> was configured as <b>Automatic or manual (Executed from Workbench)<\/b>. This means that Workbench alerts automatically trigger playbook execution while it can also be manually triggered. For the <b>Target<\/b>, since it\u2019s relatively easy for threat actors to modify their malware and toolsets, using Highlighted Objects is less effective. Instead, the following Detection Models triggered by the infection were used (Figure 28). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"5d21da\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig28.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig28.jpg\" alt=\"Figure 28. Detection Models triggered by the infection \"> <\/a> <\/p>\n<p><figcaption>Figure 28. Detection Models triggered by the infection <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>Detection Models are triggered at the later stages of the malware\u2019s infection routine: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Logon Script in UserInitMprLogonScript Registry Entry – triggered by the creation of registry persistence <\/span><\/li>\n<li><span class=\"rte-red-bullet\">CScript Or JScript Set in Registry For Persistence – triggered by the creation of registry persistence <\/span><\/li>\n<li><span class=\"rte-red-bullet\">[Heuristic Attribute] Possible Boot or Logon Autostart Execution – triggered by the creation of registry persistence <\/span><\/li>\n<li><span class=\"rte-red-bullet\">[Heuristic Attribute] Possible Modify Registry Behavior – triggered by the creation of registry persistence <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Backdoor Data Collection via JScript – triggered by the execution of the more_eggs backdoor (765BBCA08C0E9CB6.txt) via msxsl.exe <\/span><\/li>\n<\/ul>\n<p>Ideally, it\u2019s better to use detection models that are triggered at the initial stages of the infection. In this case, there are none yet, so a <b>Custom Detection Model<\/b> was created. In the context of Vision One, a <b>Filter<\/b> contains criteria to detect suspicious\/malicious behavior; a <b>Rule<\/b> is a collection of Filters; and a Model is a collection of Rules. In some cases, a <b>Model<\/b> may contain a single Rule or Filter. <\/p>\n<p>Since the infection utilizes the LOLBin ie4uinit.exe to execute a specially crafted ieuinit.inf, the following criteria were used for the Custom Filters: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">[Custom Filter] ie4uinit.exe copied outside %windir% (Figure 29) <\/span><\/li>\n<li><span class=\"rte-red-bullet\">[Custom Filter] potentially malicious ieuinit.inf created outside %windir% (Figure 30) <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"5ce906\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig29.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig29.jpg\" alt=\"Figure 29. [Custom Filter] ie4uinit.exe copied outside %windir% \"> <\/a> <\/p>\n<p><figcaption>Figure 29. [Custom Filter] ie4uinit.exe copied outside %windir% <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"08d918\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig30.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig30.jpg\" alt=\"Figure 30. [Custom Filter] potentially malicious ieuinit.inf created outside %windir% \"> <\/a> <\/p>\n<p><figcaption>Figure 30. [Custom Filter] potentially malicious ieuinit.inf created outside %windir% <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>In turn, both Custom Filters were used as criteria for the Custom Model that\u2019s shown below in Figure 31. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"93fa5e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig31.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig31.jpg\" alt=\"Figure 31. [Custom Model] more_eggs | ie4uinit.exe and ieuinit.exe created outside %windir% \"> <\/a> <\/p>\n<p><figcaption>Figure 31. [Custom Model] more_eggs | ie4uinit.exe and ieuinit.exe created outside %windir% <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>This Custom Model was used as the <b>Target<\/b> for the Security Playbook (Figure 32). Should this model be triggered, a corresponding set of actions will be executed (Figure 33). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"fa2e5f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig32.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig32.jpg\" alt=\"Figure 32. Select custom model as target for Security Playbook \"> <\/a> <\/p>\n<p><figcaption>Figure 32. Select custom model as target for Security Playbook <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>For the<b> Action<\/b>, the following were selected: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Add objects to block list <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Collect files <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Submit file objects to Sandbox Analysis <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Submit URL objects to Sandbox Analysis <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Terminate processes <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Isolate endpoints <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"0b941d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig33.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig33.jpg\" alt=\"Figure 33. Select actions for Security Playbook \"> <\/a> <\/p>\n<p><figcaption>Figure 33. Select actions for Security Playbook <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>A quick overview of the Security Playbook in Figure 34 shows that the<b> Trigger<\/b> is Automatic or Manual, there\u2019s only one <b>Target<\/b> model (which is the Custom Model that was previously created), and a set of <b>Actions<\/b> were configured. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"37798c\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig34.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig34.jpg\" alt=\"Figure 34. Security Playbook \"> <\/a> <\/p>\n<p><figcaption>Figure 34. Security Playbook <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>On a test environment, the Security Playbook was tested by executing the same LNK file. It took nine minutes and 30 seconds for the entire playbook to complete (Figure 35) and all the actions were successful (Figure 36). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"503742\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig35.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig35.jpg\" alt=\"Figure 35. Testing the Security Playbook \"> <\/a> <\/p>\n<p><figcaption>Figure 35. Testing the Security Playbook <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"8cb758\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig36.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/mdr-in-action--preventing-the-more_eggs-backdoor-from-hatching\/MDR_More_eggs_Backdoor-Fig36.jpg\" alt=\"Figure 36. Security Playbook test results \"> <\/a> <\/p>\n<p><figcaption>Figure 36. Security Playbook test results <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"41.5\">\n<div readability=\"28\">\n<h4>Conclusion <\/h4>\n<p>This incident involving the more_eggs malware infection highlights the increasing sophistication of today’s cyber threats and the complexities surrounding their attribution. Our investigation revealed that this case aligns with one of two recently launched campaigns utilizing the more_eggs malware, with tactics, techniques, and procedures (TTPs) overlapping with those of the threat group FIN6. However precise attribution remains challenging due to the nature of Malware as a Service (MaaS), which blurs the lines between different threat actors. The advanced social engineering techniques employed \u2013 such as a convincing website and a malicious file disguised as a resume to start the infection \u2013 underscore the critical need for organizations to maintain continuous vigilance. It is imperative that defenders implement robust threat detection measures and foster a culture of cybersecurity awareness to effectively combat these evolving threats. <\/p>\n<p>Our MDR team mitigated this threat using Vision One platform, keeping the malware from escalating to the point where it could release its payload and steal or encrypt the customer\u2019s information. Their comprehensive approach included endpoint isolation and proactive blocking of identified indicators to minimize the attack’s impact. <\/p>\n<p>As detailed in this entry, Custom Detection Models can also be used to further fortify defenses by enabling real-time automated responses to future threats. The integration of real-time monitoring, automated response, and proactive threat intelligence that Vision One provided in this incident showcases the critical role these solutions play in reducing the risk of falling victim to such attacks. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h4>Indicators of Compromise (IOCs) <\/h4>\n<p><b>SHA-256 Hashes <\/b><\/p>\n<table border=\"1\">\n<tbody readability=\"22.5\">\n<tr readability=\"4\">\n<td> <b> IoC <\/b><\/td>\n<td><b> Detection <\/b><\/td>\n<td><b> Description <\/b> <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>5131dbacb92fce5a59ac92893fa059c16cf8293e9abc26f2a61f9edd <\/td>\n<td> <\/td>\n<td> John Cboins.zip – ZIP file containing \u2018John Cboins.lnk\u2019 and 6.jpg <\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>624afe730923440468cae991383dd1f7be1dadf65fa4cb2b21e3e5a9 <\/td>\n<td> Trojan.LNK.MOREEGGS.B <\/td>\n<td> John Cboins.lnk – LNK file with obfuscated command <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td> ccf8276b55398030b6b7269136c5ee26a5c422d68793dc9ec5adee79a057c7f4 <\/td>\n<td> <\/td>\n<td> 6.jpg – Encrypted JPG file possibly containing obfuscated command <\/td>\n<\/tr>\n<tr readability=\"5\">\n<td> f2196309bc97e22447f6e168a9afbbb4291edd1cca51bf3789939c3618a63ec0 <\/td>\n<td> <\/td>\n<td> c:\\Users\\<user>\\AppData\\Local\\Temp\\ieuinit.inf – Malicious INF file loaded by ie4uinit.exe (IE Per-User Initialization Utility) <\/td>\n<\/tr>\n<tr readability=\"5\">\n<td> 3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271 <\/td>\n<td> <\/td>\n<td> C:\\Users\\<user>\\AppData\\Roaming\\Adobe\\38804.dll – Malicious DLL file created by ie4uinit.exe and executed by regsvr32.exe <\/td>\n<\/tr>\n<tr readability=\"5\">\n<td> 3beda3377b060a89b41553485e06e42b69d10610f21a4a443f75b39605397271 <\/td>\n<td> <\/td>\n<td> C:\\Users\\<user>\\AppData\\Roaming\\Adobe\\39220.dll – Malicious DLL file created by ie4uinit.exe and executed by regsvr32.exe <\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>d207aebf701c7fb44fe06993f020ac3527680c7fa8492a0b5f6154ca <\/td>\n<td> TrojanSpy.JS.MOREEGGS.A <\/td>\n<td> C:\\Users\\<user>\\AppData\\Roaming\\Microsoft\\D30F38D93CA9185.txt – more_eggs launcher <\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>17ac712a84af8e5c7906bff6e1662a5278d33fa36f1c13fcf788 <\/td>\n<td> TrojanSpy.JS.MOREEGGS.A <\/td>\n<td> C:\\Users\\<user>\\AppData\\Roaming\\Microsoft\\765BBCA08C0E9CB6.txt – more_eggs backdoor <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p> <b>URLs <\/b><\/p>\n<table border=\"1\">\n<tbody readability=\"9\">\n<tr readability=\"2\">\n<td> <b> IoC <\/b><\/td>\n<td><b> Detection <\/b><\/td>\n<td><b> Description <\/b><\/td>\n<\/tr>\n<tr readability=\"6\">\n<td> hxxps:\/\/1212055764.johncboins[.]com\/some\/036e91fc8cc899cc20f7e011fa6a0861\/sbosf <\/td>\n<td> Dangerous \u2013 Disease Vector <\/td>\n<td> Download link for \u2018John Cboins.zip\u2019 <\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>hxxp:\/\/36hbhv.johncboins[.]com\/fjkabrhhg <\/td>\n<td> Dangerous \u2013 Malware Accomplice <\/td>\n<td> ie4uinit.exe referencing malicious ieuinit.inf connected to this URL <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>hxxps:\/\/webmail.raysilkman[.]com <\/td>\n<td> Dangerous \u2013 C&C Server <\/td>\n<td> C&C server <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p> <b> Email Address <\/b><\/p>\n<table border=\"1\">\n<tbody readability=\"3\">\n<tr readability=\"2\">\n<td> <b> IoC <\/b><\/td>\n<td><b> Description <\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td> fayereed11@gmail[.]com <\/td>\n<td> Source of the spear-phishing email <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b> Registry <\/b><\/p>\n<table border=\"1\">\n<tbody readability=\"3.5\">\n<tr readability=\"2\">\n<td> <b> IoC <\/b><\/td>\n<td><b> Description <\/b><\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>HKCU\\Environment \/t 1 \/v userinitmprlogonscript \/d cscripT -e:jsCript “%APPDATA%\\ Microsoft\\D30F38D93CA9185.txt” <\/td>\n<td> Registry persistence created by regsvr32.exe <\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/mdr-in-action--preventing-the-moreeggs-backdoor-from-hatching--.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro MDR (Managed Detection and Response) team promptly mitigated a more_eggs infection. Using Vision One, MDR illustrated how Custom Filters\/Models and Security Playbook can be used to automate the response to more_eggs and similar threats. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9513,9577],"class_list":["post-57251","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-malware","tag-trend-micro-research-phishing"],"yoast_head":"\n<title>MDR in Action: Preventing The More_eggs Backdoor From Hatching 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MDR in Action: Preventing The More_eggs Backdoor From Hatching 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-30T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"MDR in Action: Preventing The More_eggs Backdoor From Hatching\",\"datePublished\":\"2024-09-30T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/\"},\"wordCount\":3708,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Phishing\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/\",\"name\":\"MDR in Action: Preventing The More_eggs Backdoor From Hatching 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80\",\"datePublished\":\"2024-09-30T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"MDR in Action: Preventing The More_eggs Backdoor From Hatching\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"MDR in Action: Preventing The More_eggs Backdoor From Hatching 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/","og_locale":"en_US","og_type":"article","og_title":"MDR in Action: Preventing The More_eggs Backdoor From Hatching 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-09-30T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"MDR in Action: Preventing The More_eggs Backdoor From Hatching","datePublished":"2024-09-30T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/"},"wordCount":3708,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Malware","Trend Micro Research : Phishing"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/","url":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/","name":"MDR in Action: Preventing The More_eggs Backdoor From Hatching 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80","datePublished":"2024-09-30T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/MDR_More_eggs_Backdoor-Thumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"MDR in Action: Preventing The More_eggs Backdoor From Hatching"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57251"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57251\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":57251,"date":"2024-09-30T00:00:00","date_gmt":"2024-09-30T00:00:00","guid":{"rendered":"urn:uuid:9bfb3796-2ba1-56df-f461-fd61c7b35372"},"modified":"2024-09-30T00:00:00","modified_gmt":"2024-09-30T00:00:00","slug":"mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/mdr-in-action-preventing-the-more_eggs-backdoor-from-hatching\/","title":{"rendered":"MDR in Action: Preventing The More_eggs Backdoor From Hatching"},"content":{"rendered":"