Security researchers at Securonix have discovered a new campaign called "OCX#HARVESTER" that distributes the "More_eggs" backdoor and other malware.
The More_eggs malware was observed in attacks from December 2022 to March 2023. The campaign is believed to be active as attackers explore new targets and methods for delivering malware.
According to Securonix, the OCX#HARVESTER campaign targets the financial sector, especially cryptocurrencies.
The infection chain starts with phishing emails containing a malicious ZIP archive that downloads two LNK shortcuts. LNK shortcuts are disguised as JPEG files and appear as a "Windows Image Resource" WIM file icon that contains an icon library for files and folders.
Once executed, the downloaded files additionally download other malicious files that deploy More_eggs (TerraLoader). In some cases, attackers also try to download and run the SharpChrome extension, which is designed to steal cookies and Chrome login information.
Based on the victims and methods of the "More_eggs" malware, the researchers linked the campaign to the FIN6 APT group. However, experts also claimed that the backdoor was used by the groups Cobalt and Evilnum. The specialists also added that the current campaign is similar to the "PY#RATION" campaign discovered earlier this year.
The More_eggs malware suite appears to be constantly maintained and updated in an attempt to bypass detection. As campaign changes and new attack vectors continue to be monitored, organizations are advised not to open any attachments, especially those received unexpectedly from other organizations or from an unknown source.