A sophisticated variant of the EAGERBEE malware has been identified, targeting internet service providers and government bodies in the Middle East. This updated version, also known as Thumtais, exhibits enhanced backdoor features that mark a notable advancement in its functionality.

Advanced Backdoor Features

The new EAGERBEE variant integrates multiple components enabling it to deploy additional payloads, perform file system analysis, execute command shells, and more. The malware’s key plugins can be categorized into:

Plugin Orchestrator

File System Manipulation

Remote Access Management

Process Exploration

Network Connection Listing

Service Management

Attribution to CoughingDown

Kaspersky attributes this backdoor, with medium confidence, to a threat actor known as CoughingDown. Initially reported by Elastic Security Labs, EAGERBEE is connected with the espionage-centric group REF5961, considered state-sponsored and technologically straightforward, with capabilities for system enumeration and delivering post-exploitation payloads.

Global Cyber Espionage Connections

The malware has also been observed by Chinese state-aligned threat groups, specifically Cluster Alpha, within a broader espionage campaign termed Crimson Palace. Analysts note correlations between Cluster Alpha and other groups like BackdoorDiplomacy, REF5961, Worok, and TA428. Such affiliations suggest significant cooperation and overlap in operational tactics and targets.

Technical Insights and Tactics

EAGERBEE operates predominantly in memory, leveraging an injector DLL to initiate the backdoor module, which gathers system details and transmits them to a remote server using TCP sockets. The server responds with a Plugin Orchestrator that processes system information, manages running processes, and executes commands. The orchestrator's plugin functions include: - Dynamic loading and unloading of plugins - Execution of commands to manage processes and network connections - Enhanced capability to remove or check plugins in memory The framework's complex architecture, detailed by Kaspersky, reveals its plugin architecture allows selective loading, aiding attackers to tailor their approach based on target specifics.

Deployment and Vulnerabilities

Recent attacks involving EAGERBEE have targeted organizations in East Asia, exploiting the ProxyLogon vulnerability (CVE-2021-26855) to install web shells and subsequently deploy the backdoor. EAGERBEE remains memory-resident, increasing its stealth profile and complicating detection efforts. The malware further conceals its presence by injecting malicious code into legitimate processes, facilitating integration with normal system activities to remain undetected by conventional security systems.

The evolving threat landscape highlighted by the latest EAGERBEE variant underscores the sophisticated tactics employed by advanced persistent threat groups, emphasizing the growing challenge for cybersecurity defense mechanisms in detecting and neutralizing such threats.

The link has been copied!