{
  "modified": "2024-04-11T00:40:07.038Z",
  "name": "More_eggs",
  "description": "[More_eggs](https://attack.mitre.org/software/S0284) is a JScript backdoor used by [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN6](https://attack.mitre.org/groups/G0037). Its name was given based on the variable \"More_eggs\" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. (Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)",
  "is_family": true,
  "x_mitre_platforms": [
    "Windows"
  ],
  "x_mitre_deprecated": false,
  "x_mitre_domains": [
    "enterprise-attack"
  ],
  "x_mitre_version": "3.1",
  "x_mitre_contributors": [
    "Drew Church, Splunk"
  ],
  "x_mitre_aliases": [
    "More_eggs",
    "SKID",
    "Terra Loader",
    "SpicyOmelette"
  ],
  "type": "malware",
  "spec_version": "2.1",
  "id": "malware--bfd2738c-8b43-43c3-bc9f-d523c8e88bf4",
  "created": "2018-10-17T00:14:20.652Z",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "revoked": false,
  "external_references": [
    {
      "source_name": "mitre-attack",
      "url": "https://attack.mitre.org/software/S0284",
      "external_id": "S0284"
    },
    {
      "source_name": "SKID",
      "description": "(Citation: Crowdstrike GTR2020 Mar 2020)"
    },
    {
      "source_name": "SpicyOmelette",
      "description": "(Citation: Security Intelligence More Eggs Aug 2019)"
    },
    {
      "source_name": "Terra Loader",
      "description": "(Citation: Security Intelligence More Eggs Aug 2019)(Citation: Visa FIN6 Feb 2019)"
    },
    {
      "source_name": "More_eggs",
      "description": "(Citation: Talos Cobalt Group July 2018)(Citation: ESET EvilNum July 2020)"
    },
    {
      "source_name": "Crowdstrike GTR2020 Mar 2020",
      "description": "Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.",
      "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
    },
    {
      "source_name": "ESET EvilNum July 2020",
      "description": "Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.",
      "url": "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/"
    },
    {
      "source_name": "Talos Cobalt Group July 2018",
      "description": "Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.",
      "url": "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html"
    },
    {
      "source_name": "Security Intelligence More Eggs Aug 2019",
      "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.",
      "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/"
    },
    {
      "source_name": "Visa FIN6 Feb 2019",
      "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.",
      "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"
    }
  ],
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "x_mitre_attack_spec_version": "3.2.0",
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}