The Kaspersky researchers investigation into the EAGERBEE backdoor revealed its deployment within Middle Eastern ISPs and government entities of novel components, including a service injector that injects the backdoor into running services.
Post-installation, EAGERBEE deploys plugins with diverse functionalities as follows:
- EAGERBEE deploys plugins with diverse functionalities after installation.
- Manages the operations and coordination of all plugins.
- Accesses and modifies files within the system.
- Facilitates remote control and management of the system.
- Gathers and analyzes information about system processes.
- Identifies and lists active network connections.
- Controls and manages system services effectively.
How Does Attack Work?
The attackers initially compromised the system through an unknown vector. They deployed a service injector (“tsvipsrv.dll”) and the “ntusers0.dat” payload, which leveraged the “SessionEnv” service to execute. This involved modifying file attributes and manipulating the service to load the malicious DLL.
The “ntusers0.dat” payload contains the “EAGERBEE” backdoor, which collects system information, encrypts its configuration, and establishes a connection to the C2 server.
Upon successful connection, the backdoor receives a “Plugin Orchestrator” payload from the C2 server and executes it, which employs a plugin-based architecture.
A core orchestrator DLL, “ssss.dll,” is injected into memory, which collects system information, including running processes and privileges, and communicates with a command-and-control (C2) server.
It then receives commands from the C2 server, the primary purpose of which is to manage plugins, which are dynamic link libraries (DLLs) that have functions that are exported for injection, initialization, and execution.
Key plugins include a File Manager, capable of file system operations like listing, copying, deleting, and injecting payloads, and a Process Manager, which can list, terminate, and launch processes.
The orchestrator loads and unloads plugins on demand, allowing the attacker to extend the backdoor’s capabilities dynamically, which enhances flexibility and stealth, enabling the attacker to perform various malicious activities on the compromised system.
The EAGERBEE backdoor was deployed in East Asia, exploiting the ProxyLogon vulnerability in Exchange servers. Attackers used plugins like Remote Access Manager, Service Manager, and Network Manager to establish remote access, manipulate services, and gather system information.
They abused legitimate services like MSDTC, IKEEXT, and SessionEnv to load malicious DLLs, including an oci.dll linked to the CoughingDown group, which acted as loaders for the EAGERBEE backdoor, leveraging techniques like service manipulation and privilege escalation.
According to Securelist, a memory-resident threat leverages stealthy techniques like injecting code into legitimate processes (e.g., dllhost.exe) and executing within user sessions, which hinders detection.
Evidence, such as consistent service creation and C2 domain overlap, suggests a link between EAGERBEE and the CoughingDown threat group in these cases.
However, the initial infection vector and the group responsible for EAGERBEE deployments in the Middle East remain unidentified.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free
IOCs for SOC/DFIR Teams
Service Injector
183f73306c2d1c7266a06247cedd3ee2
EAGERBEE backdoor compressed file
9d93528e05762875cf2d160f15554f44
EAGERBEE backdoor decompress
c651412abdc9cf3105dfbafe54766c44
EAGERBEE backdoor decompress and fix
26d1adb6d0bcc65e758edaf71a8f665d
Plugin Orchestrator
cbe0cca151a6ecea47cfaa25c3b1c8a8
35ece05b5500a8fc422cec87595140a7
Domains and IPs
62.233.57[.]94
82.118.21[.]230
194.71.107[.]215
151.236.16[.]167
www.socialentertainments[.]store
www.rambiler[.]com
5.34.176[.]46
195.123.242[.]120
195.123.217[.]139