Skip to content

Eagerbee malware targets Midle Eastern ISPs and governments

  • by
  • 3 min read

A newly uncovered malware framework, Eagerbee, has been deployed to compromise Internet Service Framework (ISPs) and governmental entities in the Middle East. This sophisticated malware operates in memory, using stealth tactics to evade detection and execute various malicious activities hinting at potential ties to the infamous CoughingDown threat group.

Researchers discovered that Eagerbee’s advanced design enables attackers to manipulate files, access systems remotely, and manage processes and services, posing a significant threat to critical infrastructure.

Eagerbee’s hallmark is its memory-resident architecture, which enhances its stealth capabilities and evasion from traditional endpoint detection systems. This backdoor integrates seamlessly with system processes, enabling attackers to perform malicious activities, including file system manipulation, remote access, process exploration, and service management.

At the core of Eagerbee is its service injector component, which compromises legitimate Windows services to deploy and execute the backdoor. One such instance involves targeting the Themes service to allocate memory, write the backdoor’s code, and manage it using a custom stub. This process ensures a minimal footprint and avoids detection.

Following the backdoor’s installation, various plugins — modular components — enable advanced malicious operations:

  • File manager plugin: Handles file system tasks such as listing drives, renaming files, and injecting payloads into memory.
  • Process manager plugin: Manages system processes, including launching and terminating them.
  • Remote access manager: Facilitates remote desktop access and command shell execution.
  • Service manager plugin: Installs, stops, and enumerates system services.
  • Network manager plugin: Enumerates network connections, detailing local and remote addresses, ports, and own processes.

Furthermore, as researchers point out, these plugins rely on a Plugin Orchestrator module, which gathers victim-specific data and dynamically loads or unloads plugins based on command-and-control (C2) server commands. The orchestrator’s design underscores the modularity and adaptability of the Eagerbee framework.

The initial infection vector for Eagerbee remains unclear, though telemetry data reveals exploitation of the ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers as a key pathway in East Asian attacks. This vulnerability enabled attackers to upload malicious webshells, deploying Eagerbee loaders via legitimate Windows services such as MSDTC and SessionEnv.

When researchers analysed malware’s components, particularly the oci.dll loader, shows a 25% code overlap with CoughingDown samples. Both share a command-and-control (C2) infrastructure, further strengthening the link between Eagerbee and the CoughingDown group.

Researchers could only establish a medium-confidence assessment of this relationship despite these connections.

Eagerbee’s memory-resident nature and reliance on legitimate services for execution make it particularly challenging to detect. For instance, the malware’s command shell activities are masked, injecting malicious code into legitimate processes like dllhost.exe, running within the context of explorer.exe or the targeted user’s session. Such techniques allow Eagerbee to remain operational without raising immediate red flags.

Researchers have urged organisations to remain vigilant, ensuring robust defences against ever-advancing cyber threats.

In the News: Haryana and Manipur top 2024 internet shutdowns in India

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>