Go to listing page

Ongoing OCX#HARVESTER Campaign Targeting Financial Organizations

Ongoing OCX#HARVESTER Campaign Targeting Financial Organizations
A new attack campaign dubbed OCX#HARVESTER has been found distributing More_eggs backdoor, along with other malicious payloads. The malware in the campaign was observed in the wild mostly from December 2022 through March 2023. It is believed that the campaign is active as attackers were observed exploring new targets and malware delivery methods.

Attack chain overview

According to the threat research team at Securonix, the OCX#HARVESTER campaign is focused on the financial sector, especially those involved with cryptocurrencies.
  • The infection chain starts with phishing emails containing a malicious compressed zip file that downloads two shortcut LNK files.
  • These LNK files are disguised as JPEG files and appear as a general image icon for the ‘Windows Image Resource’ file that contains a library of icons for files and folders.
  • Upon execution, these files further download more malicious files that deploy More_eggs (aka TerraLoader) in the final stage.
  • In some cases, the attackers also attempt to download and run the SharpChrome extension that is designed to steal Chrome cookies and login information. 

Observations regarding potential attribution

  • Based on the targeted victims and the modus operandi of the More_eggs malware, researchers associated the campaign with FIN6 APT
  • However, researchers also claimed that the backdoor has been used by the Cobalt group from Russia and Evilnum from Belarus. 
  • Researchers further added that the current attack campaign is similar to the PY#RATION campaign detected earlier this year.

Conclusion

It appears that the More_eggs suite of malware is continually being maintained and retooled in an attempt to circumvent detection. As the changes and new attack vectors in the campaign continue to be monitored, organizations are advised to avoid opening any attachments, especially those that are unexpected or are from other organizations. Be extra vigilant with .iso, .zip, and .img attachments and implement an application whitelisting policy to restrict the execution of unknown binaries.
Cyware Publisher

Publisher

Cyware