Thursday, January 23, 2025
HomeCyber Security NewsEAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells

EAGERBEE Malware Updated It’s Arsenal With Payloads & Command Shells

Published on

SIEM as a Service

Follow Us on Google News

The Kaspersky researchers investigation into the EAGERBEE backdoor revealed its deployment within Middle Eastern ISPs and government entities of novel components, including a service injector that injects the backdoor into running services. 

Post-installation, EAGERBEE deploys plugins with diverse functionalities as follows:

  • EAGERBEE deploys plugins with diverse functionalities after installation.
  • Manages the operations and coordination of all plugins.
  • Accesses and modifies files within the system.
  • Facilitates remote control and management of the system.
  • Gathers and analyzes information about system processes.
  • Identifies and lists active network connections.
  • Controls and manages system services effectively. 

How Does Attack Work? 

The attackers initially compromised the system through an unknown vector. They deployed a service injector (“tsvipsrv.dll”) and the “ntusers0.dat” payload, which leveraged the “SessionEnv” service to execute. This involved modifying file attributes and manipulating the service to load the malicious DLL.

The “ntusers0.dat” payload contains the “EAGERBEE” backdoor, which collects system information, encrypts its configuration, and establishes a connection to the C2 server.

Upon successful connection, the backdoor receives a “Plugin Orchestrator” payload from the C2 server and executes it, which employs a plugin-based architecture. 

A core orchestrator DLL, “ssss.dll,” is injected into memory, which collects system information, including running processes and privileges, and communicates with a command-and-control (C2) server. 

It then receives commands from the C2 server, the primary purpose of which is to manage plugins, which are dynamic link libraries (DLLs) that have functions that are exported for injection, initialization, and execution. 

Key plugins include a File Manager, capable of file system operations like listing, copying, deleting, and injecting payloads, and a Process Manager, which can list, terminate, and launch processes. 

The orchestrator loads and unloads plugins on demand, allowing the attacker to extend the backdoor’s capabilities dynamically, which enhances flexibility and stealth, enabling the attacker to perform various malicious activities on the compromised system.

The EAGERBEE backdoor was deployed in East Asia, exploiting the ProxyLogon vulnerability in Exchange servers. Attackers used plugins like Remote Access Manager, Service Manager, and Network Manager to establish remote access, manipulate services, and gather system information.

They abused legitimate services like MSDTC, IKEEXT, and SessionEnv to load malicious DLLs, including an oci.dll linked to the CoughingDown group, which acted as loaders for the EAGERBEE backdoor, leveraging techniques like service manipulation and privilege escalation.

According to Securelist, a memory-resident threat leverages stealthy techniques like injecting code into legitimate processes (e.g., dllhost.exe) and executing within user sessions, which hinders detection. 

Evidence, such as consistent service creation and C2 domain overlap, suggests a link between EAGERBEE and the CoughingDown threat group in these cases.

However, the initial infection vector and the group responsible for EAGERBEE deployments in the Middle East remain unidentified.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free

IOCs for SOC/DFIR Teams

Service Injector
183f73306c2d1c7266a06247cedd3ee2

EAGERBEE backdoor compressed file
9d93528e05762875cf2d160f15554f44

EAGERBEE backdoor decompress
c651412abdc9cf3105dfbafe54766c44

EAGERBEE backdoor decompress and fix
26d1adb6d0bcc65e758edaf71a8f665d

Plugin Orchestrator
cbe0cca151a6ecea47cfaa25c3b1c8a8
35ece05b5500a8fc422cec87595140a7

Domains and IPs

62.233.57[.]94
82.118.21[.]230
194.71.107[.]215
151.236.16[.]167
www.socialentertainments[.]store
www.rambiler[.]com
5.34.176[.]46
195.123.242[.]120
195.123.217[.]139

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...