EAGERBEE is an updated malware framework that targets companies that provide internet service (ISPs) and government organisations in the Middle East.
EAGERBEE is an updated malware framework that targets companies that provide internet service (ISPs) and government organisations in the Middle East.
This updated EAGERBEE variant has capabilities like facilitating the management and execution of other plugins and enabling file system enumeration, exfiltration, and modification. It can also provide remote command execution and control capabilities, allow for the enumeration and manipulation of system processes, gather information about active network connections, and enable the manipulation of system services.
Kaspersky researchers have attributed this activity with medium confidence to the threat group known as CoughingDown, based on code similarities and observed tactics, techniques, and procedures (TTPs).
EAGERBEE, initially identified by Elastic Security Labs and linked to the state-sponsored intrusion set REF5961, is designed for spying activities. It can communicate with the hacker's servers, receive commands, and download malicious programs. A version of EAGERBEE was later used by a Chinese hacking group (Cluster Alpha) in an operation called “Crimson Palace” to steal information like military and political secrets from Southeast Asian governments.
Cluster Alpha is connected to other groups like BackdoorDiplomacy, REF5961, Worok, and TA428. BackdoorDiplomacy has similarities with another group called CloudComputing. This group uses a sophisticated malware framework called QSC to target telecom companies in South Asia. QSC is designed to be flexible. It loads only essential parts into the computer's memory, making it harder to detect and remove. This allows the hackers to customise their attacks based on their targets. In recent attacks, EAGERBEE used an injection technique to secretly load itself into the target system, collect information about the computer and send it back to the hacker's server.
The communication and functionality of the Plugin Orchestrator component within the EAGERBEE malware are as follows: First, the server sends the Plugin Orchestrator to the infected machine. Then, the Orchestrator gathers information about the infected machine, such as its name, available memory, and time zone. This helps attackers understand their environment.
The primary function of the Orchestrator is to manage the loading and unloading of other malicious code into infected machines. This malicious code will perform tasks like stealing data, controlling the system and establishing communication channels.
Kaspersky said that EAGERBEE is being deployed in several organisations in East Asia. Two of them were breached using the ProxyLogon vulnerability (CVE-2021-26855) to drop web shells that were then used to execute commands on servers, leading to the backdoor deployment.
EAGERBEE primarily operates within computer memory, making it difficult for traditional security software to detect. Its stealthy nature and advanced techniques make it challenging to detect and remove, potentially allowing attackers to maintain long-term access to sensitive systems and data.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.