EAGERBEE backdoor targets Middle Eastern ISPs and government entities as a novel service injector and undocumented plugins, expanding its capabilities, which facilitate diverse malicious activities, including file system manipulation, remote access, and process exploration, enabling sophisticated and targeted attacks.”
The attackers initially compromised the system by deploying a backdoor injector (“tsvipsrv.dll”) and a payload file (“ntusers0.dat”) where they leveraged the SessionEnv service to execute the injector, likely exploiting a DLL hijacking vulnerability.
It was possible for the attackers to conceal their activity and spread malware throughout the network by manipulating file attributes, timestamps, and network shares.
The service injector exploits a service process by injecting malicious code and replaces the service’s control handler with a stub that decompresses and injects a backdoor, which triggers the stub with a control code, then cleans up by restoring the original handler.
The EAGERBEE backdoor collects system information, including network details, and attempts to connect to a C2 server via TCP or SSL, potentially through a proxy. After authentication, it receives a Plugin Orchestrator payload from the server and executes it in memory, enabling remote control of the infected system.
It employs a plugin orchestrator (“ssss.dll”) that injects itself into memory and gathers system information, including domain, resource usage, and running processes, which communicates with a C2 server, receives commands to load, unload, or execute plugins, and manages their lifecycle.
Within the context of a plugin ecosystem, the File Manager Plugin is responsible for receiving and carrying out commands from an orchestrator within the ecosystem.
Its core functionalities encompass file system operations, including enumeration, manipulation (renaming, moving, copying, and deletion), permission management (ACLs), content reading/writing, and the capability to inject and execute arbitrary code into memory.
Process Manager allows attackers to control system processes, including termination, execution, and information gathering, while Remote Access Manager enables remote connections, downloads files, executes commands, and steals data, potentially using stolen credentials to access network resources.
The Service Manager plugin provides comprehensive control over system services, enabling the creation of services running as shared or independent processes and offering the ability to start, stop, delete, and enumerate them, collecting detailed information such as service name, display name, and status.
According to Secure List, the Network Manager plugin efficiently lists network connections, providing insights into the state, local and remote addresses and ports, and owning process IDs for both IPv4 and IPv6 TCP and UDP connections.
The EAGERBEE malware framework, which was developed for in-memory operation and code injection, was discovered in East Asian attacks that utilized the ProxyLogon exploit.
It was also discovered that attacks from the Middle East contained the memory-resident framework, which may have been connected to the CoughingDown group due to the operational similarities between the two groups.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Cyberattack Alert: Termite Ransomware Group Targets Huntington Hotel Group")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Chinese Hacker Group “MirrorFace” Linked to Cyberattacks on Japan")
