Skip to content

S0284 More_eggs

More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable “More_eggs” being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. 12

Item Value
ID S0284
Associated Names SKID, Terra Loader, SpicyOmelette
Version 3.0
Created 17 October 2018
Last Modified 23 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Terra Loader 25
SpicyOmelette 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols More_eggs uses HTTPS for C2.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell More_eggs has used cmd.exe for execution.23
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding More_eggs has used basE91 encoding, along with encryption, for C2 communication.2
enterprise T1140 Deobfuscate/Decode Files or Information More_eggs will decode malware components that are then dropped to the system.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography More_eggs has used an RC4-based encryption method for its C2 communications.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion More_eggs can remove itself from a system.12
enterprise T1105 Ingress Tool Transfer More_eggs can download and launch additional payloads.12
enterprise T1027 Obfuscated Files or Information More_eggs‘s payload has been encrypted with a key that has the hostname and processor family information appended to the end.3
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery More_eggs can obtain information on installed anti-malware programs.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 More_eggs has used regsvr32.exe to execute the malicious DLL.2
enterprise T1082 System Information Discovery More_eggs has the capability to gather the OS version and computer name.12
enterprise T1016 System Network Configuration Discovery More_eggs has the capability to gather the IP address from the victim’s machine.1
enterprise T1016.001 Internet Connection Discovery More_eggs has used HTTP GET requests to check internet connectivity.2
enterprise T1033 System Owner/User Discovery More_eggs has the capability to gather the username from the victim’s machine.12

Groups That Use This Software

ID Name References
G0037 FIN6 25
G0080 Cobalt Group 14
G0120 Evilnum 3