Kaspersky Labs has uncovered a sophisticated cyberespionage campaign deploying the EAGERBEE backdoor to infiltrate internet service providers (ISPs) and governmental institutions in the Middle East. This report highlights the advanced capabilities of the EAGERBEE malware framework, its novel components, and its potential ties to the CoughingDown threat group.
EAGERBEE backdoor introduces an arsenal of plugins for malicious activities, including file system manipulation, remote access management, and process exploration. According to Kaspersky, “Our analysis uncovered new components used in these attacks, including a novel service injector designed to inject the backdoor into a running service.”
While the initial access vector remains unclear, attackers utilized DLL hijacking techniques to deploy the malware. They exploited legitimate Windows services such as SessionEnv to execute the backdoor injector, tsvipsrv.dll, and payload file, ntusers0.dat.
Once deployed, the backdoor collects extensive system information, such as the local computer’s NetBIOS name, OS details, and network addresses. It establishes communication with a command-and-control (C2) server, leveraging encrypted protocols like SSL and TLS. “The backdoor retrieves the proxy host and port information for the current user by reading the registry key,” the report elaborates.
EAGERBEE’s plugins are orchestrated via a specialized module named ssss.dll, which operates in memory to evade detection. These plugins enable the attackers to manipulate files, manage processes, and maintain persistent remote access.
Kaspersky’s research reveals significant overlaps between EAGERBEE and the CoughingDown malware framework. The report notes, “This Core Module was configured to use the IP addresses 45.90.58[.]103 and 185.82.217[.]164 as its C2. The IP address 185.82.217[.]164 is known to be used as an EAGERBEE C2.” Despite these findings, attribution remains uncertain.
Kaspersky concludes, “Malware frameworks continue to advance as threat actors develop increasingly sophisticated tools for malicious activities.”
Related Posts:
- Kaspersky Report: Criminals earning millions through mining malware
- Turkish’s ISPs has deployed special hardware to intercept Internet traffic and injected cryptocurrency mining scripts
