Page 167 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 167
As with previous more_eggs variants observed by TRU, the malware abuses legitimate Windows
processes to evade detection, alongside a decoy document to trick users. With the incident involving the
accounting firm, an employee of the firm received what they thought was a candidate’s resume. However,
the resume was the VenomLNK malware. Once VenomLNK was executed, it proceeded to execute
TerraLoader so that TerraLoader could load various information-stealing modules and intrusion modules
belonging to the more_eggs suite. With the 2022 campaign however, there were two notable differences:
• In place of the previously abused Windows process, cmstp.exe – which manages network
connections – more_eggs was abusing ie4uinit.exe, another Windows Process, to load its
malicious plugins.
• Rather than targeting hopeful candidates looking for work, the hackers targeted businesses
looking for employees.
Protecting Against More_Eggs
“Thus far we are seeing threat campaigns, involving more_eggs, just a few times a year, unlike some
other cyberthreats,” said Rob McLeod, Vice President of eSentire’s Threat Response Unit. “This, in
addition to the campaigns’ spearphishing component, indicates to me that the threat actors using
more_eggs, are extremely selective and patient. It is important that companies and public entities,
especially those in critical infrastructure sectors, consider adopting the following security
recommendations.”
Cybersecurity Protection Tips
• Security Awareness Training for All Employees. Security Awareness training should be
mandated for all company employees. The training should ensure that employees:
➢ Avoid downloading and executing files from unverified sources. For example, be wary of
Word and Excel documents sent from an unknown source or acquired from the Internet that
prompts you to ‘Enable Macros’.
➢ Avoid free versions of paid software.
➢ Always inspect the full URL before downloading files to ensure it matches the source (e.g.,
Microsoft Team should come from a Microsoft domain).
➢ Inspect file extensions. Do not trust the filetype logo alone. An executable file can be
disguised as a PDF or office document.
➢ Ensure standard procedures are in place for employees to submit potentially malicious
content for review
• Anti-virus isn’t enough. Malware that abuses Living Off the Land Binaries (LOLBins) bypass
binary detection approaches. Therefore, Endpoint Detection and Response (EDR) agents need
to be installed on all hosts. An EDR solution is a necessary technology for detecting threats
such as more_eggs, and EDR agents must be continuously monitored and updated with the
evolving threat landscape. If not, critical alerts will not be triaged and investigated. Managed
Detection and Response (MDR) providers offer this service. Robust and comprehensive MDR
services require an AI-powered Extended Detection and Response (XDR) technology platform
so that the hundreds of daily security signals, generated by an organization’s EDR agents, can
be promptly ingested, analyzed and responded to. Security events which can be resolved
167