The Eagerbee backdoor operators target Middle Eastern entities

January 8, 2025
Eagerbee Backdoor Middle East Organisations Cyberattack ISP Malware Threat Actors

Hackers are deploying several variants of the Eagerbee malware framework to target Middle Eastern government organisations and internet service providers (ISPs).

This malware was recently deployed by Chinese threat actors, which researchers attributed to the Crimson Palace operation. Separate research also claimed that the recent attack could have a possible connection to a threat group known as CoughingDown.

This assessment was based on the code similarities and IP address overlaps present in the cybercriminal operation against Middle Eastern entities.

However, the researchers only said they could assess and attribute the current attack with medium confidence that the backdoor is related to the CoughingDown APT group.

 

The Eagerbee backdoor still has an unidentified attack vector to execute its infection process.

 

According to reports, the researchers have yet to identify the exact initial access vector of the Eagerbee backdoor for attacking the Middle East.

Still, the assessment claimed that in previous cases, two East Asian firms were accessed by exploiting the Microsoft Exchange ProxyLogon flaw. The cyberattack involves installing an injector in the system32 directory to load the payload file.

Windows starts the injector, which then leverages the ‘Themes’ service, SessionEnv, IKEEXT, and MSDTC, to write the backdoor payload in memory via DLL hijacking. The attackers may design the backdoor to run at specified times, but the researchers claim it was set to run continuously in the detected attacks.

Further studies also discovered that Eagerbee appears on the infected system as ‘dllloader1x64.dll’ and instantly initiates the collection of essential information such as operating system characteristics and network addresses.

Upon initialisation, it opens a TCP/SSL channel with the C2 server, from which it can accept further plugins to expand its capability. Subsequently, the plugin orchestrator (ssss.dll) injects the plugins into memory, which also handles their execution.

Overall, Eagerbee is a stealthy and persistent malware strain with broad capabilities on compromised systems. The identical backdoor-loading chain also allegedly appeared in Japan, indicating that the attacks are expanding.

Organisations should fix ProxyLogon on all Exchange servers and use publicly available IoCs to spot the compromise and mitigate its effects.

About the author

Leave a Reply