Eagerbee Malware Updates Its Arsenal To Attack Isps And Government Entities
Thumbnail
The Kaspersky investigation into the EAGERBEE backdoor highlights its deployment in Middle Eastern ISPs and government entities, utilizing a service injector to compromise systems. The backdoor operates through a plugin architecture, enabling remote control and various malicious functionalities. Its exploitation of vulnerabilities and stealthy techniques poses significant risks. Affected Platform: Middle Eastern ISPs, government entities, Exchange servers

Keypoints :

  • EAGERBEE backdoor deployed within Middle Eastern ISPs and government entities.
  • Utilizes a service injector to compromise running services.
  • Deploys plugins for diverse functionalities post-installation.
  • Attacks initially compromise systems through an unknown vector.
  • Key plugins include File Manager and Process Manager.
  • Exploits ProxyLogon vulnerability in Exchange servers in East Asia.
  • Abuses legitimate services for malicious DLL loading.
  • Stealth techniques hinder detection by injecting code into legitimate processes.
  • Evidence suggests a link between EAGERBEE and the CoughingDown threat group.
  • Initial infection vector and responsible group remain unidentified.

MITRE Techniques :

  • TA0001 – Initial Access: Attackers compromised the system through an unknown vector.
  • TA0002 – Execution: The service injector “tsvipsrv.dll” executes the “ntusers0.dat” payload.
  • TA0003 – Persistence: EAGERBEE maintains persistence by deploying plugins.
  • TA0005 – Defense Evasion: Injects code into legitimate processes to avoid detection.
  • TA0009 – Collection: Gathers and analyzes information about system processes and network connections.
  • TA0011 – Command and Control: Establishes a connection to the C2 server to receive commands and payloads.

Indicator of Compromise :

  • [file hash] 183f73306c2d1c7266a06247cedd3ee2 (Service Injector)
  • [file hash] 9d93528e05762875cf2d160f15554f44 (EAGERBEE backdoor compressed file)
  • [file hash] c651412abdc9cf3105dfbafe54766c44 (EAGERBEE backdoor decompress)
  • [file hash] 26d1adb6d0bcc65e758edaf71a8f665d (EAGERBEE backdoor decompress and fix)
  • [file hash] cbe0cca151a6ecea47cfaa25c3b1c8a835ece05b5500a8fc422cec87595140a7 (Plugin Orchestrator)
  • Check the article for all found IoCs.

Full Research: https://gbhackers.com/eagerbee-malware/