Focus Mode
Info Data Leak

EAGERBEE Malware Detection New Backdoor Variant Targets Internet Service Providers and State Bodies in the Middle East SOC Prime

admin
EAGERBEE Malware Detection New Backdoor Variant Targets Internet Service Providers and State Bodies in the Middle East SOC Prime
The Eagerbee backdoor, a new malware variant, poses a significant threat to organizations in the Middle East, especially targeting ISPs and state agencies. This malware has advanced capabilities, including payload deployment and command execution. The rise in cyberattacks globally highlights the need for proactive detection methods to combat evolving threats. Affected: Eagerbee backdoor, NonEuclid RAT

Keypoints :

  • The Eagerbee backdoor is an advanced malware variant targeting ISPs and state agencies in the Middle East.
  • In 2024, there has been a significant surge in cyberattacks, averaging 1,308 attacks per week.
  • Researchers have noted a 30% increase in global malware volume compared to 2023.
  • SOC Prime Platform offers detection algorithms for emerging threats, including Eagerbee infections.
  • The Eagerbee malware framework has sophisticated capabilities, including service injection and remote control plugins.
  • The malware is linked to a hacking group known as CoughingDown and state-sponsored groups like REF5961.
  • Eagerbee has been used in cyber-espionage attacks against Southeast Asian government agencies.
  • Malicious webshells were uploaded post-breach through the ProxyLogon vulnerability in Exchange servers.
  • The malware adapts to evade detection by embedding malicious code into legitimate processes.
  • Enhanced cybersecurity awareness and proactive defense measures are critical to combatting such threats.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: EAGERBEE uses TCP sockets to exfiltrate system data to a remote server.
  • T1203 – Exploitation for Client Execution: Exploited the ProxyLogon vulnerability (CVE-2021-26855) to deploy webshells.
  • T1059.001 – Command and Scripting Interpreter: Executes commands through injected plugins and DLLs.
  • T1105 – Ingress Tool Transfer: Transfers malicious payloads and plugins for remote control and data exfiltration.
  • T1210 – Exploitation of Remote Services: Utilizes backdoor deployment through service injection methods.

Full Research: https://socprime.com/blog/eagerbee-malware-detection/

Tags: EDR, TOOL, BACKDOOR, APT, SIEM, COLLECTION, EXFILTRATION, PAYLOAD