Internet service providers (ISPs) and governmental entities in the Middle East have been targeted using an updated variant of the EAGERBEE malware framework.
The new variant of EAGERBEE (aka Thumtais) comes fitted with various components that allow the backdoor to deploy additional payloads, enumerate file systems, and execute commands shells, demonstrating a significant evolution.
“The key plugins can be categorized in terms of their functionality into the following groups: Plugin Orchestrator, File System Manipulation, Remote Access Manager, Process Exploration, Network Connection Listing, and Service Management,” Kaspersky researchers Saurabh Sharma and Vasily Berdnikov said in an analysis.
The backdoor has been assessed by the Russian cybersecurity company with medium confidence to a threat group called CoughingDown.
EAGERBEE was first documented by the Elastic Security Labs, attributing it to a state-sponsored and espionage-focused intrusion set dubbed REF5961. A “technically straightforward backdoor” with forward and reverse C2 and SSL encryption capabilities, it’s designed to conduct basic system enumeration and deliver subsequent executables for post-exploitation.
Subsequently, a variant of the malware was observed in attacks by a Chinese state-aligned threat cluster tracked as Cluster Alpha as part of a broader cyber espionage operation codenamed Crimson Palace with an aim to steal sensitive military and political secrets from a high-profile government organization in Southeast Asia.
Cluster Alpha, per Sophos, overlaps with threat clusters tracked as BackdoorDiplomacy, REF5961, Worok, and TA428. BackdoorDiplomacy, for its part, is known to exhibit tactical similarities with another Chinese-speaking group codenamed CloudComputating (aka Faking Dragon), which has attributed to a multi-plugin malware framework referred to as QSC in attacks targeting the telecom industry in South Asia.
“QSC is a modular framework, of which only the initial loader remains on disk while the core and network modules are always in memory,” Kaspersky noted back in November 2024. “Using a plugin-based architecture gives attackers the ability to control which plugin (module) to load in memory on demand depending on the target of interest.”
In the latest set of attacks involving EAGERBEE, an injector DLL is designed to launch the backdoor module, which is then used to collect system information and exfiltrate the details to a remote server to which a connection is established via a TCP socket.
The server subsequently responds with a Plugin Orchestrator that, in addition to reporting system-related information to the server (e.g., NetBIOS name of the domain; physical and virtual memory usage; and system locale and time zone settings), harvests details about running processes and awaits further instructions –
- Receive and inject plugins into memory
- Unload a specific plugin from memory, remove the plugin from the list
- Remove all plugins from the list
- Check if the plugin is loaded or not
“All the plugins are responsible for receiving and executing commands from the orchestrator,” the researchers said, adding they perform file operations, manage processes, maintain remote connections, manage system services, and list network connections.
Kaspersky said it also observed EAGERBEE being deployed in several organizations in East Asia, with two of them breached using the ProxyLogon vulnerability (CVE-2021-26855) to drop web shells that were then used to execute commands on the servers, ultimately leading to the backdoor deployment.
“Among these is EAGERBEE, a malware framework primarily designed to operate in memory,” the researchers pointed out. “This memory-resident architecture enhances its stealth capabilities, helping it evade detection by traditional endpoint security solutions.”
“EAGERBEE also obscures its command shell activities by injecting malicious code into legitimate processes. These tactics allow the malware to seamlessly integrate with normal system operations, making it significantly more challenging to identify and analyze.”
