Ddos 
Attack chain | Image: Tonmoy Jitu
More_Eggs is back—and it’s sneakier than ever. A new report by researcher Tonmoy Jitu dissects a recent sample of the infamous JavaScript-based backdoor used by the financially motivated group Venom Spider (also known as Golden Chickens). Known for its stealthy delivery via job application scams, this Malware-as-a-Service (MaaS) toolset continues to evolve in sophistication and evasion.
The analyzed sample, named Sebastian Hall.zip, fits the group’s standard ruse: posing as a job applicant to HR departments. The ZIP file contains:
- A decoy image (b.jpg)
- A malicious Windows shortcut file (Sebastian Hall.lnk)
“The LNK file (Sebastian Hall.lnk) is the heart of the More_Eggs malware’s infection chain,” Jitu writes.
Tonmoy Jitu
When opened, the LNK file quietly initiates a multi-stage attack, starting with the launch of Microsoft Word as a decoy while hidden scripts begin the malicious operation in the background.
The LNK’s embedded batch script is heavily obfuscated. Using tools like LECmd and Exiftool, Jitu extracts the full command hidden in the shortcut, revealing a complex chain of variable manipulation and delayed execution.
“Obfuscation in these batch scripts involves transforming straightforward commands (echo, xcopy, start) into complex, unreadable forms to hinder analysis.”
This script:
- Launches Microsoft Word to distract the user.
- Creates a fake .inf configuration file (ieuinit.inf) in the %temp% directory.
- Copies the legitimate ieuinit.exe from C:\Windows\System32 to %temp%.
- Executes ieuinit.exe with a suspicious parameter: -basjestings.
“This is the moment the malware goes live, potentially executing JavaScript (JS), loading a malicious DLL, or reaching out to a C2 server for further instructions.”
By abusing ieuinit.exe—a legitimate Internet Explorer utility—More_Eggs camouflages its operations from endpoint protection tools. The fake .inf file is not a configuration file at all, but rather a roadmap for malware execution.
“A legitimate Windows binary, ieuinit.exe, is abused by More_Eggs to execute malicious tasks without raising alarms.”
Inside the ieuinit.inf are encoded values and obfuscated strings that hide payload URLs and instructions, such as:
- A disguised URL like hxxp[://]wfshtl[.]com/abf2iawq
- Variable-based masking of file and payload identifiers
Once the script runs ieuinit.exe, it reaches out to the specified URL and downloads a polymorphic JavaScript backdoor. Using tools like Magika, the analyst confirmed the payload’s filetype and noted its evasive characteristics.
“The heavy obfuscation… mirrors tactics described by Arctic Wolf Labs, where Venom Spider uses server-side polymorphism to generate unique JS payloads for each victim.”
This JavaScript acts as a dropper and controller, likely deploying a DLL and establishing communication with the attacker’s C2 infrastructure for further commands.
Security teams and defenders should take note of these hunting artifacts and behavioral flags:
- Watch for Microsoft Word or WordPad launched from .lnk files in ZIP attachments.
- Flag ieuinit.exe executions from %temp% instead of System32.
- Scan for ieuinit.inf and ieuinit.exe in %temp% and remove them.
- Block ZIP attachments containing .lnk files from unknown sources—especially in HR workflows.
Donate