HOW DO YOU LIKE DEM EGGS? I LIKE MINE SCRAMBLED, REALLY SCRAMBELED - A LOOK AT A RECENT more_eggs SAMPLES
BACKGROUND The topic of discussion have been covered quite well in the past years. With some analysis focusing on the human element and actors behind the tools and other analysis attributing to different groups and some focusing on the malware and final payload . This blog will just focus on some recent samples related to what i think is more_eggs and my attempt (successful or not, I will let you be the judge of that) at analyzing them and some questions I have. I won't be discussing any attribution or provide my thoughts on that in this blog. HIGH LEVEL ANALYSIS OF SAMPLES This all started with a tweet - https://twitter.com/jaydinbas/status/1633063201607675909?s=20 File Name : Axiance_Full_Reports[.]zip Hash : 631f92c9147733acf3faa02586cd2a6cda673ec83c24252fccda1982cf3e96f6 The file is a ZIP file that include an LNK file and a JPG. The LNK as you would expect includes an obfuscated code within it that is consistent with these types of campaigns. && c!QlGg!!dFsw!