125. Hunting for More_eggs Backdoor

Hello everyone!

Yesterday we talked about some new tools developed by the threat actor known as Venom Spider. But let's talk a bit about some classic tools he's known for. I mean more_eggs backdoor. It's still used, for example, here's a fresh campaign covered by Arctic Wolf.

I want to point out the following behavior marker - msxsl.exe, a legitimate binary known as Microsoft’s Command Line Transformation Utility, is used to execute the backdoor:

msxsl.exe D30F38D93CA9185.txt D30F38D93CA9185.txt

We can use this marker to build our hunting query:

event_type: "processcreatewin"

AND

proc_file_name: "msxsl.exe"

AND

cmdline: "txt"

Have you observed msxsl.exe in your environment?

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge