Threat Report

2023-05-15

OCX#HARVESTER Campaign Unleashes More_eggs Suite on Financial Service Organizations

Level: 
Tactical
  |  Source: 
Securonix
Financial Services
Share:

OCX#HARVESTER Campaign Unleashes More_eggs Suite on Financial Service Organizations

Category: Threat Actor Activity | Industry: Financial Services | Level: Tactical | Source: Securonix

New cyber attack campaign "OCXHarvester" has been targeting financial service and financial service-related organizations since December 2022 through at least March 2023. Securonix Threat Labs reported the campaign tracked as 'OCX#HARVESTER,' and found the attack campaign uses the "More_eggs" malware suite to create a Javascript backdoor. The malware is known for its modular and highly customizable capabilities. A reported infection chain commences with the delivery of a phishing email containing a zip file housing malicious shortcut files. A series of activities involving living off-the-land binaries are initiated, starting with the execution of an obfuscated CMD command from the shortcut file. The Windows process ie4uinit.exe is then copied from the System32 directory and into an attacker-created directory and then executed with WMIC.

"At this stage of the attack the attackers have achieved code execution and are looking to advance their foodhold. This is historically where TerraLoader comes into play within the More_eggs attack chain," said Securonix. The scripts set up persistence in the registry with Windows logon scripts - UserInitMprLogonScript, connect to the attackers' C2 and abuses another Windows' binary, Msxsl.exe. As observed by Securonix, "the Windows binary msxsl.exe is used to ensure script execution success. This particular LOLBin allows the code to bypass application whitelisting restrictions such as AppLocker. Code such as JavaScript, VBscript, or JScript contained inside an expected .xsl file (or any XML formatted file) can be executed regardless of application restrictions." Msxsl provides a level of persistence, in every 120 seconds the script will re-run and then sleep. During post-exploitation, the threat actors dropped additional payloads files for OCX#HARVESTER to gather system data and capture desktop images in addition to enumerating the victim’s accounts.

Anvilogic Scenario:

  • System Process Abuse & LOLBin Attack

Anvilogic Use Cases:

  • Windows Process Outside of System Folder
  • Logon Script Registry Key added
  • Msxsl Execution

Get trending threats published weekly by the Anvilogic team.

Sign Up Now