Eagerbee Malware Targets Middle Eastern Government and ISPs

January 6, 2025

The Eagerbee malware framework is seeing new variants being used against government entities and ISPs in the Middle East. The malware was previously associated with attacks orchestrated by Chinese state-sponsored threat actors known as 'Crimson Palace.' Kaspersky researchers have reported a potential link to another threat group, 'CoughingDown,' based on overlaps in code and IP addresses. The researchers state, "Because of the consistent creation of services on the same day via the same webshell to execute the EAGERBEE backdoor and the CoughingDown Core Module, and the C2 domain overlap between the EAGERBEE backdoor and the CoughingDown Core Module, we assess with medium confidence that the EAGERBEE backdoor is related to the CoughingDown threat group."

The researchers have not yet been able to identify the initial access vector used in the Middle East attacks. However, in previous instances, two East Asian organizations were compromised through the exploitation of the Microsoft Exchange ProxyLogon flaw (CVE-2021-26855). The attack involves the deployment of an injector (tsvipsrv.dll) dropped into the system32 directory to load the payload file (ntusers0.dat). Upon system start, the injector is executed by Windows, which then abuses the 'Themes' service, along with SessionEnv, IKEEXT, and MSDTC, to write the backdoor payload in memory using DLL hijacking.

The backdoor can be programmed to run at certain times, but in the attacks observed by Kaspersky, it was set to run continuously. The Eagerbee backdoor appears on the infected system as 'dllloader1x64.dll' and immediately starts gathering basic information such as OS details and network addresses. After initialization, it sets up a TCP/SSL channel with the command-and-control (C2) server, from which it can download additional plugins to enhance its functionality. These plugins are injected into memory by a plugin orchestrator (ssss.dll), which oversees their execution.

Eagerbee is a stealthy and persistent threat with extensive capabilities on compromised systems. The same backdoor-loading chain was also found in Japan, indicating that the attacks are not limited to the Middle East. To mitigate the threat, organizations are advised to apply the ProxyLogon patch on all Exchange servers and utilize the indicators of compromise provided in Kaspersky's report to detect the threat early.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.