A previously unknown advanced persistent threat (APT) group has unleashed a new fileless malware framework, dubbed EggStreme, in a highly targeted espionage campaign against strategic organizations.
Emerging in early 2024, EggStreme exploits the legitimate Windows Mail executable (WinMail[.]exe) to sideload a malicious library, allowing attackers to achieve in-memory code execution without writing decrypted payloads to disk.
This technique evades traditional file-based defenses and has set off alarms among security teams operating in sensitive sectors.
The attack chain begins when a logon script delivered via an exposed SMB share executes WinMail[.]exe from the user’s AppData directory.
Instead of loading the genuine .NET runtime library, the binary inadvertently loads mscorsvc[.]dll, which contains the first stage loader.
Once loaded, this DLL establishes a reverse shell by invoking cmd[.]exe and creating read/write pipes to a command-and-control (C2) server.
Lateral movement and persistence are then orchestrated through hijacked Windows services that run with elevated privileges.
Bitdefender analysts noted that the EggStreme framework is composed of multiple tightly integrated components, each responsible for a distinct phase of the operation.
The EggStremeLoader, registered as a service, reads an encrypted payload file (ielowutil[.]exe[.]mui) and extracts two more layers: a reflective loader and the core backdoor agent.
By leveraging reflective injection into trusted processes like winlogon.exe or explorer.exe, the adversary ensures continuous execution in memory.
This multi-stage approach, with each layer decrypted and injected only when needed, makes detection exceedingly difficult.
In its final form, the EggStremeAgent establishes a gRPC-based communication channel secured by mutual TLS, authenticating with certificates issued by a shared malicious certificate authority.
.webp "New EggStreme Malware With Fileless Capabilities Leverages DLL Sideloading to Execute Payloads 3")
Once the backdoor is in memory, its 58 commands enable remote fingerprinting, file manipulation, registry operations, process injection, and sophisticated lateral movement such as RPC scans and WMIC-based remote process creation.
Infection Mechanism and DLL Sideloading
EggStreme’s initial infection leverages a subtle but powerful code snippet to hijack the search order for Windows libraries.
.webp "New EggStreme Malware With Fileless Capabilities Leverages DLL Sideloading to Execute Payloads 4")
By placing a malicious DLL alongside WinMail.exe, the malware forces the legitimate binary to load attacker-controlled code. A representative snippet is shown below:-
// Pseudo-code illustrating DLL sideloading
HANDLE hModule = LoadLibraryA("mscorsvc[.]dll");
if (hModule) {
FARPROC pFunc = GetProcAddress(hModule, "CorBindToRuntime");
if (pFunc) {
pFunc();
}
}When WinMail.exe calls LoadLibraryA("mscorsvc[.]dll"), the Windows loader searches the local directory first, finding the malicious DLL instead of the system version.
The loader decrypts its payload using an RC4 key ("Cookies"), checks for an on-disk configuration at %APPDATA%MicrosoftWindowsCookiesCookies[.]dat, and updates its in-memory C2 list accordingly.
The initial handshake comprises a 32-byte RC4-encrypted key exchange, ensuring integrity before the shell is created.
Persistence is achieved through two complementary approaches. In some instances, the attackers alter the ServiceDLL registry value under HKLMSYSTEMCurrentControlSetServices to point to a malicious DLL.
In others, they replace service binaries and grant SeDebugPrivilege, allowing the malicious payload to run under the context of a trusted Windows service.
Both methods ensure that EggStreme components are reloaded on every reboot, maintaining a resilient foothold.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
