125. Hunting for More_eggs Backdoor
Hello everyone!
Yesterday we talked about some new tools developed by the threat actor known as Venom Spider. But let's talk a bit about some classic tools he's known for. I mean more_eggs backdoor. It's still used, for example, here's a fresh campaign covered by Arctic Wolf.
I want to point out the following behavior marker - msxsl.exe, a legitimate binary known as Microsoft’s Command Line Transformation Utility, is used to execute the backdoor:
msxsl.exe D30F38D93CA9185.txt D30F38D93CA9185.txt
We can use this marker to build our hunting query:
event_type: "processcreatewin"
AND
proc_file_name: "msxsl.exe"
AND
cmdline: "txt"
Have you observed msxsl.exe in your environment?
See you tomorrow!
Comments
Post a Comment