The threat landscape continues to evolve as the financially motivated Venom Spider group also known as Golden Chickens intensifies the spread of the More_Eggs malware, a JavaScript-based backdoor distributed via Malware-as-a-Service (MaaS).
Recent campaigns have heightened their focus on human resources (HR) departments, leveraging the guise of legitimate job application emails to deliver highly obfuscated, multi-stage payloads directly to targets’ inboxes.
Sophisticated JavaScript Backdoor
A prime example of this attack vector was observed in a recent variant, “Sebastian Hall.zip,” sourced from well-known malware repositories.
This ZIP archive, typical of the campaign, contains both a decoy image and a malicious Windows shortcut file (LNK).
When unsuspecting HR personnel interact with the attachment, believing it to be a routine job application, they inadvertently set off a complex infection chain engineered to evade traditional detection methods.
At the core of the infection is the LNK file Sebastian Hall.lnk whose properties initially appear benign, referencing cmd.exe as its target.
Sebastian Hall.zipHowever, the true malicious payload is concealed through advanced command-line obfuscation, which truncates and hides arguments within standard Windows dialogs.
Security researchers use forensic tools such as LECmd and Exiftool to recover the full, obfuscated command structure from the shortcut.
Upon execution, the LNK file employs fragmented variables and syntactic manipulation tactics characteristic of the More_Eggs toolkit to reconstruct a hidden batch script.
This script’s first step is to quietly launch Microsoft Word from its standard installation path, providing a convincing decoy for the end user.
Simultaneously, it prepares and writes a faux configuration file, ieuinit.inf, to the user’s temp directory.
Although formatted to resemble a standard Windows INF file, this artifact is packed with encoded strings and URLs, likely containing the malware’s configuration and instructions.
Obfuscated Payloads Bypass Detection
The infection chain then abuses legitimate system binaries a technique known as “living off the land.”
Specifically, it copies the native ieuinit.exe binary from the trusted %windir%\system32 directory to %temp%, and executes it with custom arguments.
This approach allows More_Eggs to blend in with regular system activity, reducing the likelihood of triggering security alerts.
The newly copied binary is responsible for parsing the crafted ieuinit.inf file, which can direct it to download and execute a heavily obfuscated JavaScript (JS) file from a remote command-and-control (C2) server.
Static and dynamic analysis of this JS payload, confirmed through tools like Magika, reveals layers of polymorphic obfuscation.
The script contains anti-debugging mechanisms and randomized variable names to stymie reverse engineering.
Ultimately, its goal is to fetch and execute further payloads, enabling system reconnaissance, data exfiltration, or the deployment of additional malware modules.
The modular design and server-side variation in each JS payload make detection by traditional antivirus solutions increasingly challenging.
Researchers have linked this evolving campaign to threat actors such as FIN6 and Cobalt Group, both known to purchase More_Eggs under the MaaS model.
The use of legitimate binaries (LOLBAS), coupled with staged, obfuscated infection mechanisms, underscores the growing sophistication of email-borne malware threats.
Mitigation strategies include monitoring for unusual process launches such as Microsoft Word or WordPad initiated via cmd.exe or linked to suspicious temp-file activities.
According to the Report, Security teams are advised to scrutinize LNK file executions, particularly those nested in ZIP attachments paired with images, and to flag unexpected copies or invocations of ieuinit.exe from temporary directories.
Proactive hunting should include searches for artifacts such as ieuinit.inf and anomalous temp directory activity.
The ongoing More_Eggs activity highlights the necessity for enhanced email filtering, robust endpoint detection, and continuous user education to defend against increasingly deceptive and technically advanced phishing campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
