More_eggs

More_eggs is a JScript backdoor used by Cobalt Group. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1]

ID: S0284
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1107 File Deletion More_eggs can remove itself from a system.[1]
Enterprise T1105 Remote File Copy More_eggs can download and launch additional payloads.[1]
Enterprise T1063 Security Software Discovery More_eggs can obtain information on installed anti-malware programs.[1]
Enterprise T1071 Standard Application Layer Protocol More_eggs uses HTTPS for C2.[1]
Enterprise T1082 System Information Discovery More_eggs has the capability to gather the OS version and computer name.[1]
Enterprise T1016 System Network Configuration Discovery More_eggs has the capability to gather the IP address from the victim's machine.[1]
Enterprise T1033 System Owner/User Discovery More_eggs has the capability to gather the username from the victim's machine.[1]

Groups

Groups that use this software:

Cobalt Group

References