Guess who’s back?
You’d never have thought about it, but MoreEggs malware is back.
Not to burst your bubble, but if you thought its days of job scam phishing were over, think again, cause now it’s sneakier than ever.
The JavaScript-based backdoor linked to the notorious financially motivated group Venom Spider (a.k.a. Golden Chickens) is evolving fast, targeting HR departments once again and for the plot twist its latest variant now comes disguised as a harmless job application concealed inside a ZIP file titled SebastianHall.zip.
Now you’re wondering what exactly is inside this zip file.
Well, embedded in the zip file are:
· A decoy image: b.jpg
- A malicious shortcut: Sebastian Hall.lnk
But don’t be fooled, the LNK file is the true payload, silently executing a complex infection chain while the user is distracted with a Word document decoy.
Once opened, the .lnk file triggers a silent operation that includes:
· Launching Microsoft Word to divert the user’s attention
· Dropping a fake .inffile (ieuinit.inf) in the %temp% directory
· Copying the legitimate Windows utility ieuinit.exe from C:\Windows\System32
· Executing ieuinit.exe with the suspicious parameter -basjestings
Once More Eggs goes live, it could load a malicious DLL, run a backdoor JavaScript payload, or connect to a C2 server for further commands without tripping alarms.
The script’s obfuscated commands revealed its evasive scripting:
- Legitimate Windows binaries are abused for stealth.
- Obfuscation turns simple batch commands (echo, xcopy, start) into unreadable logic.
- Encoded URLs like hxxp[://]wfshtl[.]com/abf2iawq hide in plain sight.
The malware employs server-side polymorphism, generating unique JS payloads per victim, a tactic that makes traditional hash-based detection virtually useless. The JavaScript backdoor acts as both a dropper and a controller, giving attackers persistent access and remote control capabilities.
Recommendations
· Be suspicious of execution of Word or WordPad from .lnk files inside ZIP attachments
· Flag any instances of ieuinit.exe running from %temp% rather than System32
· Look for Presence of Ieuinit.in for Ieuinit.exe in unexpected locations
· Watch for ZIP files with embedded .lnk files, especially in HR-related emails
· Block ZIP attachments from unknown sources containing .lnk files especially in HR workflows
.png)
.png)