Article Details
Scrape Timestamp (UTC): 2025-01-06 14:58:52.998
Original Article Text
Click to Toggle View
Eagerbee backdoor deployed against Middle Eastern govt orgs, ISPs. New variants of the Eagerbee malware framework are being deployed against government organizations and internet service providers (ISPs) in the Middle East. Previously, the malware was seen in attacks conducted by Chinese state-backed threat actors who Sophos tracked as 'Crimson Palace.' According to a new report by Kaspersky researchers, there's a potential connection to a threat group they call 'CoughingDown,' based on code similarities and IP address overlaps. "Because of the consistent creation of services on the same day via the same webshell to execute the EAGERBEE backdoor and the CoughingDown Core Module, and the C2 domain overlap between the EAGERBEE backdoor and the CoughingDown Core Module, we assess with medium confidence that the EAGERBEE backdoor is related to the CoughingDown threat group" explains Kaspersky The Eagerbee malware framework Kaspersky couldn't determine the initial access vector in the Middle East attacks but reports that, in previous cases, two East Asian organizations were breached via the exploitation of the Microsoft Exchange ProxyLogon flaw (CVE-2021-26855). The attack involves the deployment of an injector (tsvipsrv.dll) dropped in the system32 directory to load the payload file (ntusers0.dat). Upon system start, Windows executes the injector, which then abuses the 'Themes' service, as well as SessionEnv, IKEEXT, and MSDTC, to write the backdoor payload in memory using DLL hijacking. The backdoor can be configured to execute at specific times, but Kaspersky says it was set to run 24/7 in the observed attacks. Eagerbee appears on the infected system as 'dllloader1x64.dll' and immediately begins collecting basic information like OS details and network addresses. Upon initialization, it establishes a TCP/SSL channel with the command-and-control (C2) server from where it can receive additional plugins that extend its functionality. The plugins are injected into memory by a plugin orchestrator (ssss.dll), which manages their execution. The five plugins documented by Kaspersky are the following: Overall, Eagerbee is a stealthy and persistent threat that has extensive capabilities on compromised systems. The same backdoor-loading chain was also discovered in Japan, so the attacks are global. Organizations should patch ProxyLogon on all Exchange servers and use the indicators of compromise listed in Kaspersky's report to catch the threat early.
Daily Brief Summary
New variants of the Eagerbee malware are targeting government organizations and ISPs in the Middle East.
Originally linked to Chinese state-backed actors named 'Crimson Palace,' the malware is now connected with the 'CoughingDown' group by Kaspersky researchers.
The deployment involves an injector file placed within the system32 directory, with Windows services abused to execute the malware.
The backdoor is highly persistent, set to run continuously, and designed to collect sensitive information from the infected systems.
Attack vectors in previous incidents included exploitation of the Microsoft Exchange ProxyLogon flaw.
Eagerbee uses a complex mechanism involving multiple Windows services and DLL hijacking to maintain stealth and persistence.
Kaspersky has documented five plugins that extend the functionality of the malware, enhancing its espionage capabilities.
The same methods were also detected in attacks outside the Middle East, indicating a global threat pattern. Organizations are urged to apply security updates and monitor for indicators of compromise.