Threat Watch

Fin6 Seen Using More_eggs Jscript Backdoor

Fin6: Fin6, originally known for its attacks on physical Point-of-Sale (POS) systems, has been seen using the More_eggs Jscript backdoor. More_eggs, also known as SpicyOmlettte and Terra Loader, is a backdoor sold as Malware-as-a-Service (Maas) via the dark-net where the group obtained it and began using it to attack the e-commerce industry. The group began by finding employees on LinkedIn that worked at the targeted company. After the group had their victims, they sent phishing emails which included a Google drive link for the victim to open. If the victim clicked the link, they would be redirected to a page that stated that the preview was not available but had an alternate link on the page. Once clicked, the alternate link would download a zip file that contained a malicious Windows script file that initiates the infection routine of More_eggs. This in turn, would establish a reverse shell connection to the attacker’s C2 server. More_eggs is able to execute files and scripts as well as run cmd.exe commands. In the case of Fin6, they would download a signed Dynamic Linked Library (DLL) which would create a reverse shell and connect to the remote host that allows the group to download the card skimmer. Once the group has done this, they would have a foothold in the system and begin to move laterally within the network. The group would also infect alternate devices within a network with More_eggs to allow them to have multiple ways into an affected network.

ANALYST NOTES

Fin6 is a financially motivated group that has been around for multiple years and began by attacking physical POS systems. Like many other industries, online shopping has become a huge market, making it more likely for groups like Fin6 to begin targeting online companies vs physical card machines in skimming attacks.