As  with  previous  more_eggs  variants  observed  by  TRU,  the  malware  abuses  legitimate  Windows
            processes to evade detection, alongside a decoy document to trick users.  With the incident involving the
            accounting firm, an employee of the firm received what they thought was a candidate’s resume. However,
            the resume  was  the  VenomLNK malware. Once  VenomLNK  was  executed,  it  proceeded to  execute
            TerraLoader so that TerraLoader could load various information-stealing modules and intrusion modules
            belonging to the more_eggs suite. With the 2022 campaign however, there were two notable differences:

               •  In place of the previously abused Windows process, cmstp.exe – which manages network
                   connections – more_eggs was abusing ie4uinit.exe, another Windows Process, to load its
                   malicious plugins.
               •  Rather than targeting hopeful candidates looking for work, the hackers targeted businesses
                   looking for employees.

            Protecting Against More_Eggs

            “Thus far we are seeing threat campaigns, involving more_eggs, just a few times a year, unlike some
            other  cyberthreats,”  said  Rob  McLeod,  Vice  President  of  eSentire’s  Threat  Response  Unit.  “This,  in
            addition  to  the  campaigns’  spearphishing  component,  indicates  to  me  that  the  threat  actors  using
            more_eggs,  are  extremely  selective  and  patient.  It  is  important  that  companies  and  public  entities,
            especially  those  in  critical  infrastructure  sectors,  consider  adopting  the  following  security
            recommendations.”



            Cybersecurity Protection Tips

               •  Security Awareness Training for All Employees. Security Awareness training should be
                   mandated for all company employees. The training should ensure that employees:
                   ➢  Avoid downloading and executing files from unverified sources. For example, be wary of
                       Word and Excel documents sent from an unknown source or acquired from the Internet that
                       prompts you to ‘Enable Macros’.
                   ➢  Avoid free versions of paid software.
                   ➢  Always inspect the full URL before downloading files to ensure it matches the source (e.g.,
                       Microsoft Team should come from a Microsoft domain).
                   ➢  Inspect file extensions. Do not trust the filetype logo alone. An executable file can be
                       disguised as a PDF or office document.
                   ➢  Ensure standard procedures are in place for employees to submit potentially malicious
                       content for review

               •  Anti-virus isn’t enough. Malware that abuses Living Off the Land Binaries (LOLBins) bypass
                   binary detection approaches. Therefore, Endpoint Detection and Response (EDR) agents need
                   to be installed on all hosts. An EDR solution is a necessary technology for detecting threats
                   such as more_eggs, and EDR agents must be continuously monitored and updated with the
                   evolving threat landscape. If not, critical alerts will not be triaged and investigated. Managed
                   Detection and Response (MDR) providers offer this service. Robust and comprehensive MDR
                   services require an AI-powered Extended Detection and Response (XDR) technology platform
                   so that the hundreds of daily security signals, generated by an organization’s EDR agents, can
                   be promptly ingested, analyzed and responded to. Security events which can be resolved





                                                                                                            167