Focus Mode
Threat Research

Eagerbee Malware Updates Its Arsenal to Attack ISPs and Government Entities

admin
Eagerbee Malware Updates Its Arsenal to Attack ISPs and Government Entities
The Kaspersky investigation into the EAGERBEE backdoor highlights its deployment in Middle Eastern ISPs and government entities, utilizing a service injector to compromise systems. The backdoor operates through a plugin architecture, enabling remote control and various malicious functionalities. Its exploitation of vulnerabilities and stealthy techniques poses significant risks. Affected Platform: Middle Eastern ISPs, government entities, Exchange servers

Keypoints :

  • EAGERBEE backdoor deployed within Middle Eastern ISPs and government entities.
  • Utilizes a service injector to compromise running services.
  • Deploys plugins for diverse functionalities post-installation.
  • Attacks initially compromise systems through an unknown vector.
  • Key plugins include File Manager and Process Manager.
  • Exploits ProxyLogon vulnerability in Exchange servers in East Asia.
  • Abuses legitimate services for malicious DLL loading.
  • Stealth techniques hinder detection by injecting code into legitimate processes.
  • Evidence suggests a link between EAGERBEE and the CoughingDown threat group.
  • Initial infection vector and responsible group remain unidentified.

MITRE Techniques :

  • TA0001 – Initial Access: Attackers compromised the system through an unknown vector.
  • TA0002 – Execution: The service injector “tsvipsrv.dll” executes the “ntusers0.dat” payload.
  • TA0003 – Persistence: EAGERBEE maintains persistence by deploying plugins.
  • TA0005 – Defense Evasion: Injects code into legitimate processes to avoid detection.
  • TA0009 – Collection: Gathers and analyzes information about system processes and network connections.
  • TA0011 – Command and Control: Establishes a connection to the C2 server to receive commands and payloads.

Indicator of Compromise :

  • [file hash] 183f73306c2d1c7266a06247cedd3ee2 (Service Injector)
  • [file hash] 9d93528e05762875cf2d160f15554f44 (EAGERBEE backdoor compressed file)
  • [file hash] c651412abdc9cf3105dfbafe54766c44 (EAGERBEE backdoor decompress)
  • [file hash] 26d1adb6d0bcc65e758edaf71a8f665d (EAGERBEE backdoor decompress and fix)
  • [file hash] cbe0cca151a6ecea47cfaa25c3b1c8a835ece05b5500a8fc422cec87595140a7 (Plugin Orchestrator)
  • Check the article for all found IoCs.

Full Research: https://gbhackers.com/eagerbee-malware/

Tags: SOC, BACKDOOR, PRIVILEGE, DEFENSE EVASION, INITIAL ACCESS, PERSISTENCE, VULNERABILITY, PAYLOAD