Ethical Hacking News
The Kaspersky report reveals new variants of the Eagerbee backdoor being used in attacks on government organizations and ISPs in the Middle East. The malware has been found to be deployed via a service injector and payload delivery system, which allows it to gather sensitive information from infected systems. To learn more about this sophisticated malware, read our latest article: Eagerbee backdoor targets govt entities and ISPs in the Middle East
Kaspersky researchers have identified new variants of the Eagerbee backdoor being used in attacks against government entities and ISPs in the Middle East.The initial access method for the Eagerbee backdoor is still unknown, but threat actors have deployed a service injector to target infected systems.The backdoor gathers sensitive information from infected systems, including system details, network connections, and proxy settings.The malware uses plugins in the form of DLL files to execute various functionalities, such as file management, process management, remote access, and network monitoring.The Eagerbee backdoor is believed to be related to the CoughingDown threat group based on similarities in service creation and C2 domain overlap.
Kaspersky Researchers Reveal Eagerbee Backdoor Attack on Government Organizations and ISPs in the Middle East
In a recent report, Kaspersky researchers have identified new variants of the Eagerbee backdoor being used in attacks against government entities and Internet Service Providers (ISPs) in the Middle East. The sophisticated malware has been found to be deployed via a service injector and payload delivery system, which allows it to gather sensitive information from infected systems.
The Kaspersky report reveals that the initial access method for the Eagerbee backdoor is still unknown, but threat actors have deployed a service injector, tsvipsrv.dll, and payload ntusers0.dat via the SessionEnv service. The service injector targets the Themes service, injecting the EAGERBEE backdoor into its memory along with the stub code to decompress the malware. It decompresses and executes the backdoor via a stub, then cleans up by restoring the original handler.
The Eagerbee backdoor gathers system information, including NetBIOS name, OS details, processor architecture, and IP addresses. It uses a mutex (mstoolFtip32W) to ensure a single instance and includes a time check to plan the execution within a specified weekly schedule. However, it's configured to run 24/7 in observed cases, checking every 15 seconds if outside the allowed execution window.
The configuration of the malware is stored in a file or hardcoded in the backdoor binary, including C2 server details decoded using XOR. The malicious code retrieves proxy settings from the registry, connects via proxy or directly to the C2 server, and supports SSL/TLS if configured. After establishing a TCP connection, it sends system data to the C2, which responds with the Plugin Orchestrator.
The backdoor uses plugins in the form of DLL files and export three methods using ordinals. The plugin orchestrator starts by invoking the exported method of the plugin with the ordinal number 3. This method injects the plugin DLL into memory, initializes it via the DllMain method (ordinal 1), and then executes its functionality using the method at ordinal 2.
The researchers analyzed five plugins used by the backdoor:
File Manager Plugin: Handles file system operations and can modify file permissions, inject additional payloads into memory, and execute command lines.
Process Manager Plugin: Manages system processes and can execute command lines or modules in the security context of specific user accounts.
Remote Access Manager Plugin: Facilitates remote access by enabling RDP sessions, it can also inject command shells into legitimate processes for stealth.
Service Manager Plugin: Controls system services.
Network Manager Plugin: Monitors and lists active network connections.
"EAGERBEE was deployed in several organizations in East Asia," concludes the report. "Two of these organizations were breached via the infamous ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers, after which malicious webshells were uploaded and utilized to execute commands on the breached servers."
Furthermore, due to the consistent creation of services on the same day via the same webshell to execute the Eagerbee backdoor and the CoughingDown Core Module, and the C2 domain overlap between the Eagerbee backdoor and the CoughingDown Core Module, researchers assess with medium confidence that the Eagerbee backdoor is related to the CoughingDown threat group.
Related Information:
https://securityaffairs.com/172748/malware/eagerbee-backdoor-targets-middle-east.html
https://nvd.nist.gov/vuln/detail/CVE-2021-26855
https://www.cvedetails.com/cve/CVE-2021-26855/
Published: Tue Jan 7 04:02:27 2025 by llama3.2 3B Q4_K_M
