Key Takeaways:
- Small Business Vulnerability: Limited cybersecurity awareness makes SMBs prime targets for sophisticated malware campaigns like More_eggs.
- The Role of MSPs: Managed Service Providers (MSPs) must adopt proactive security measures to stay ahead of threats.
- The Need for Modern Solutions: Tools like phishing simulations, endpoint protection, as well as a more unified platform approach can strengthen defenses at the foundation.”
The cybersecurity world is no stranger to evolving threats, but the resurgence of the More_eggs malware campaign has captured fresh attention. In December 2024, a report revealed new iterations of this malware, highlighting its enhanced evasion techniques and tailored attack chains. For SMBs and the MSPs safeguarding them, this is a clarion call to reevaluate their cybersecurity strategies.
What Is More_eggs?
More_eggs is a backdoor malware associated with the Golden Chickens malware-as-a-service (MaaS) framework. It is used by cybercriminals to infiltrate networks, enabling follow-up attacks like data theft, ransomware, and cryptojacking.
Chain of Attack
Campaign 1: VenomLNK → RevC2
- VenomLNK: An LNK file contains an obfuscated BAT script that downloads a decoy PNG file (API documentation) from a remote server.
- RevC2: An info-stealing backdoor communicates with a C&C server using WebSockets. It can steal passwords, execute commands, and capture screenshots.
Campaign 2: VenomLNK → Venom Loader → Retdoor
- VenomLNK: Writes VBS and BAT scripts to the Windows temporary directory. The VBS script triggers the BAT script to download a decoy cryptocurrency image and a malicious base.zip file from a remote server.
- Venom Loader: A custom-made loader decodes and delivers the Retdoor backdoor via PS1 scripts.
- Retdoor: Sends continuous HTTP POST requests to the C&C server with system details, executes encoded commands, and hides under system processes like “GoogleUpdate.”
Breaking Down the Terminology
Backdoor:
A backdoor is a type of malware that bypasses standard authentication methods to gain unauthorized access to a system. This allows attackers to remotely control resources like databases and file servers. With this access, they can execute system commands, steal sensitive data, or install additional malware undetected.
Loader:
A loader is a malicious tool designed to infiltrate devices and deliver harmful software (payloads). Once inside a system, loaders can gather system information, install other types of malware such as trojans or data stealers, and prepare the environment for further attacks.
These tools allow attackers to bypass conventional defenses, making them especially dangerous for SMBs with limited resources.
The Devastating Impact to Small Businesses”
- Low Security Awareness:
SMBs often lack dedicated IT teams and cybersecurity expertise. Employees may unknowingly click malicious links or open infected attachments, triggering the malware long before anyone knows what is happening. - Financial and Operational Fallout:
- Data Exposure: Breaches can result in regulatory fines and loss of customer trust.
- Operational Disruption: Ransomware and data theft can paralyze critical business functions.
- Reputational Damage: A compromised reputation can lead to client attrition.
- Stealth and Persistence:
More_eggs thrives on its ability to evade detection, establishing long-term persistence and enabling subsequent attacks.
MSP’s Role in Defending SMBs
MSPs are pivotal in addressing these challenges, serving as the first line of defense for SMBs. Here’s how they can combat threats like More_eggs:
1. Enhance Employee Awareness
- Recurring Training: Use interactive videos and quizzes to teach employees how to spot phishing attempts and malicious files.
- Phishing Simulations: Conduct periodic tests to evaluate and improve employee vigilance.
2. Deploy Advanced Endpoint Security
Endpoint protection solutions ensure continuous monitoring of all devices, especially crucial in hybrid or remote work environments. EDR tools with advanced NGAV capabilities are most effective at blocking this family of malware
3. Strengthen Email Security
Email remains a leading attack vector, with 90% of attacks originating from Phishing email. MSPs should deploy tools that scan attachments and URLs, proactively preventing threats like phishing and spoofing.
4. Implement Incident Response Plans
Regularly back up data and prepare a clear response plan to minimize downtime and financial loss in the event of an attack.
Proactive Measures for SMBs and MSPs
- Unified Security Platforms: Tools that integrate Microsoft 365, Google Workspace, and endpoint protection enable MSPs to deliver holistic security.
- Browser Protections: Real-time detection of malicious sites and phishing attempts can significantly reduce risk.
- AI-Powered Solutions: Automation and predictive analytics allow MSPs to anticipate and mitigate evolving threats.
The Final Word
The More_eggs campaign underscores the urgent need for proactive cybersecurity. SMBs are particularly vulnerable, but MSPs armed with the right tools and strategies can make a decisive difference.
Solutions like Guardz not only protect against advanced threats but also simplify the complex security landscape for SMBs. Want to learn more? Visit Guardz.com today.
- Share On:
Written by
Tal Eisner is the Vice President of Product Marketing at Guardz, bringing over two decades of experience in cybersecurity and fraud management. Prior to joining Guardz, Tal led marketing efforts at Check Point Research, the Intelligence & Research division of a leading cybersecurity company. With a strong background in security, Tal combines his technical expertise with a strategic focus on marketing, communications, and business development. His career reflects a deep commitment to advancing cybersecurity solutions while effectively communicating their value to diverse audiences.