A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme.
This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads.
The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.
In early 2024, a Philippine defense contractor became the target of a sophisticated cyber-espionage campaign.
Investigation revealed a previously unseen malware framework, dubbed EggStreme, whose advanced fileless design and DLL sideloading techniques enabled the attackers to evade detection and maintain stealthy, long-term access.
Indicators tie this operation to Chinese state-sponsored threat actors seeking strategic intelligence in the South China Sea region.
The EggStreme framework unfolds through a carefully orchestrated sequence of loaders and injectors.
It begins when an attacker executes a logon script on an SMB share, which deploys a legitimate Mail binary (WinMail.exe) alongside a malicious DLL (mscorsvc.dll) into the %APPDATA%MicrosoftWindowsWindows Mail directory.
When WinMail.exe launches, it sideloads the DLL—EggStremeFuel—triggering the first-stage loader. EggStremeFuel performs system fingerprinting and establishes a reverse shell to the attacker’s C2 infrastructure.
Next, EggStremeLoader, registered as a Windows service, decrypts two additional encrypted payloads—EggStremeReflectiveLoader and EggStremeAgent—from a resource file (ielowutil.exe.mui).
The reflective loader injects EggStremeAgent into a trusted process (winlogon.exe, MsMpEng.exe, or explorer.exe) entirely in memory. This fileless injection ensures the decrypted code never touches disk in plain form, thwarting traditional antivirus and endpoint detection systems.
EggStremeAgent Backdoor
EggStremeAgent functions as the core backdoor, communicating with C2 servers over mutual TLS using gRPC.
On startup, it monitors for new user sessions. Upon detecting explorer.exe under a user context, it decrypts and injects EggStremeKeylogger into that process.
The keylogger captures keystrokes, clipboard contents, and window titles, encrypting logs and writing them to a hidden file in %LOCALAPPDATA%.
EggStremeAgent exposes 58 discrete commands, enabling detailed host reconnaissance, file and directory manipulation, process injection, privilege escalation, lateral movement, and data exfiltration.
Attackers leverage these capabilities to enumerate services and network shares, launch remote shells, deploy additional payloads, and harvest sensitive credentials.
A supplementary backdoor, EggStremeWizard, sideloaded via xwizard.exe, ensures redundancy by maintaining alternate C2 channels and reverse shell access.
Defensive Recommendations
To secure persistence, the malware abuses manual or disabled Windows services—such as MSiSCSI, AppMgmt, and SWPRV—by either replacing legitimate service binaries or altering registry ServiceDLL values.
The tool’s initialization function is custom and hard-coded with specific parameters: a secret (d@rkn3ss) and a listening port (8531).
These services, configured with SeDebugPrivilege, launch EggStremeLoader on each system boot. The attackers maintain a network of C2 domains and IPs—linked via shared certificate authorities—to rotate infrastructure and evade takedowns.
Defenders should implement defense-in-depth measures to detect and disrupt EggStreme attacks. Monitoring for unusual DLL loads by trusted binaries, anomalous service registry modifications, and in-memory injection patterns can surface early indicators.
Enabling Windows Event Logging for process creation and service configuration changes, employing endpoint detection that inspects process memory, and conducting regular audits of service binaries and registry parameters will also strengthen resilience against fileless threats.
Remaining vigilant and adapting to advanced living-off-the-land tactics is critical. Join our LinkedIn Live discussion, Ctrl-Alt-DECODE, to explore the EggStreme framework in depth and ask our researchers questions on September 18.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
