Cracking the Shell of More_eggs: Cyber Risks for SMBs & How MSPs Can Respond

Key Takeaways:

  • Small Business Vulnerability: Limited cybersecurity awareness makes SMBs prime targets for sophisticated malware campaigns like More_eggs.
  • The Role of MSPs: Managed Service Providers (MSPs) must adopt proactive security measures to stay ahead of threats.
  • The Need for Modern Solutions: Tools like phishing simulations, endpoint protection, as well as a more unified platform approach can strengthen defenses at the foundation.”

The cybersecurity world is no stranger to evolving threats, but the resurgence of the More_eggs malware campaign has captured fresh attention. In December 2024, a report revealed new iterations of this malware, highlighting its enhanced evasion techniques and tailored attack chains. For SMBs and the MSPs safeguarding them, this is a clarion call to reevaluate their cybersecurity strategies.


What Is More_eggs?

More_eggs is a backdoor malware associated with the Golden Chickens malware-as-a-service (MaaS) framework. It is used by cybercriminals to infiltrate networks, enabling follow-up attacks like data theft, ransomware, and cryptojacking.

Chain of Attack

Campaign 1: VenomLNK → RevC2

  1. VenomLNK: An LNK file contains an obfuscated BAT script that downloads a decoy PNG file (API documentation) from a remote server.
  2. RevC2: An info-stealing backdoor communicates with a C&C server using WebSockets. It can steal passwords, execute commands, and capture screenshots.

Campaign 2: VenomLNK → Venom Loader → Retdoor

  1. VenomLNK: Writes VBS and BAT scripts to the Windows temporary directory. The VBS script triggers the BAT script to download a decoy cryptocurrency image and a malicious base.zip file from a remote server.
  2. Venom Loader: A custom-made loader decodes and delivers the Retdoor backdoor via PS1 scripts.
  3. Retdoor: Sends continuous HTTP POST requests to the C&C server with system details, executes encoded commands, and hides under system processes like “GoogleUpdate.”

Breaking Down the Terminology

Backdoor:
A backdoor is a type of malware that bypasses standard authentication methods to gain unauthorized access to a system. This allows attackers to remotely control resources like databases and file servers. With this access, they can execute system commands, steal sensitive data, or install additional malware undetected.

Loader:
A loader is a malicious tool designed to infiltrate devices and deliver harmful software (payloads). Once inside a system, loaders can gather system information, install other types of malware such as trojans or data stealers, and prepare the environment for further attacks.

These tools allow attackers to bypass conventional defenses, making them especially dangerous for SMBs with limited resources.

The Devastating Impact to Small Businesses”

  1. Low Security Awareness:
    SMBs often lack dedicated IT teams and cybersecurity expertise. Employees may unknowingly click malicious links or open infected attachments, triggering the malware long before anyone knows what is happening.
  2. Financial and Operational Fallout:
    • Data Exposure: Breaches can result in regulatory fines and loss of customer trust.
    • Operational Disruption: Ransomware and data theft can paralyze critical business functions.
    • Reputational Damage: A compromised reputation can lead to client attrition.
  3. Stealth and Persistence:
    More_eggs thrives on its ability to evade detection, establishing long-term persistence and enabling subsequent attacks.  

MSP’s Role in Defending SMBs

MSPs are pivotal in addressing these challenges, serving as the first line of defense for SMBs. Here’s how they can combat threats like More_eggs:

1. Enhance Employee Awareness

  • Recurring Training: Use interactive videos and quizzes to teach employees how to spot phishing attempts and malicious files.
  • Phishing Simulations: Conduct periodic tests to evaluate and improve employee vigilance.

2. Deploy Advanced Endpoint Security

Endpoint protection solutions ensure continuous monitoring of all devices, especially crucial in hybrid or remote work environments. EDR tools with advanced NGAV capabilities are most effective at blocking this family of malware

3. Strengthen Email Security

Email remains a leading attack vector, with 90% of attacks originating from Phishing email. MSPs should deploy tools that scan attachments and URLs, proactively preventing threats like phishing and spoofing.

4. Implement Incident Response Plans

Regularly back up data and prepare a clear response plan to minimize downtime and financial loss in the event of an attack.

Proactive Measures for SMBs and MSPs

  • Unified Security Platforms: Tools that integrate Microsoft 365, Google Workspace, and endpoint protection enable MSPs to deliver holistic security.
  • Browser Protections: Real-time detection of malicious sites and phishing attempts can significantly reduce risk.
  • AI-Powered Solutions: Automation and predictive analytics allow MSPs to anticipate and mitigate evolving threats.

The Final Word

The More_eggs campaign underscores the urgent need for proactive cybersecurity. SMBs are particularly vulnerable, but MSPs armed with the right tools and strategies can make a decisive difference.

Solutions like Guardz not only protect against advanced threats but also simplify the complex security landscape for SMBs. Want to learn more? Visit Guardz.com today.

Categories:

Tal Eisner is the Vice President of Product Marketing at Guardz, bringing over two decades of experience in cybersecurity and fraud management. Prior to joining Guardz, Tal led marketing efforts at Check Point Research, the Intelligence & Research division of a leading cybersecurity company. With a strong background in security, Tal combines his technical expertise with a strategic focus on marketing, communications, and business development. His career reflects a deep commitment to advancing cybersecurity solutions while effectively communicating their value to diverse audiences.

Subscribe to
Our Newsletter.

A person sits in a futuristic control room, resembling an archive, with large screens displaying stars and planets, suggesting space. The background features abstract mountain outlines under a pale sky with a moon.

Guardz, Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.
Holistic Protection.
Hassle-Free.
Cost-Effective.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

A silhouetted astronaut figure stands in an open door frame, like an exit popup against the cosmos, facing a starry sky with a distant planet in view, contrasting with a plain, stark interior.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.