Analysis Summary

New iterations of the Eagerbee malware architecture are targeting Middle Eastern government agencies and internet service providers (ISPs). According to researchers, the malware was previously detected in operations carried out by Chinese state-sponsored threat actors known as "Crimson Palace".

Based on code similarities and IP address overlaps, researchers have released a fresh analysis that suggests a possible link to a threat group they term "CoughingDown." The researchers concluded with a medium level of confidence that the Eagerbee backdoor is associated with the CoughingDown threat group due to the regular creation of services on the same day via the same webshell to execute the Eagerbee backdoor and the CoughingDown Core Module, as well as the C2 domain overlap between the two.

Although researchers were unable to identify the first point of entry for the Middle East attacks, they noted that two East Asian businesses had previously been compromised through the use of the Microsoft Exchange ProxyLogon vulnerability (CVE-2021-26855). To load the payload file (ntusers0.dat), an injector (tsvipsrv.dll) is deployed and dropped in the system32 directory. Windows starts the injector, which then leverages SessionEnv, IKEEXT, MSDTC, and the 'Themes' service to write the backdoor payload in memory through DLL hijacking.

Although the backdoor can be made to run at certain periods, researchers said that it was designed to run continuously in the attacks that were spotted. Eagerbee first manifests as 'dllloader1x64.dll' on the compromised system, and it starts gathering basic data like network addresses and operating system information right away. To receive more plugins that expand its capability, it first creates a TCP/SSL channel with the command-and-control (C2) server. A plugin orchestrator (ssss.dll) injects the plugins into memory and controls how they are executed.

Eagerbee is a persistent and covert threat with a wide range of capabilities on infected computers. The attacks are worldwide because the identical backdoor-loading chain was also found in Japan. To detect the issue early, organizations should apply the indicators of compromise mentioned in the report and patch ProxyLogon on all Exchange servers.

Impact

• Unauthorized Access
• Data Theft
• Code Execution

Indicators of Compromise

Domain Name

• www.socialentertainments.store
• www.rambiler.com

IP

• 62.233.57.94
• 82.118.21.230
• 194.71.107.215
• 151.236.16.167
• 5.34.176.46
• 195.123.242.120
• 195.123.217.139

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.