Eagerbee Backdoor: A New Threat Targeting ISPs and Governments in the Middle East

2025-01-07

In a recent discovery, Kaspersky researchers have uncovered new variants of the Eagerbee backdoor being deployed in sophisticated cyberattacks targeting Internet Service Providers (ISPs) and government entities in the Middle East. This advanced malware showcases a range of new attack components, including a service injector for backdoor deployment and plugins for payload delivery, file/system access, and remote control. The findings highlight the evolving tactics of threat actors and the growing complexity of cyber threats in the region.

of the Eagerbee Backdoor Attack

1. Initial Access: The exact method of initial access remains unknown, but attackers deployed a backdoor injector (`tsvipsrv.dll`) and payload (`ntusers0.dat`) via the SessionEnv service.
2. Service Injector: The injector targets the Themes service, injecting the Eagerbee backdoor into its memory along with stub code to decompress the malware. After execution, it cleans up by restoring the original handler.
3. Backdoor Functionality: The backdoor, `dllloader1x64.dll`, collects system information such as NetBIOS name, OS details, processor architecture, and IP addresses. It uses a mutex (`mstoolFtip32W`) to ensure a single instance and includes a time check for execution within a weekly schedule, though it operates 24/7 in observed cases.
4. Configuration: The malware’s configuration is either stored in a file or hardcoded in the binary, containing C2 server details decoded using XOR. It retrieves proxy settings from the registry and connects to the C2 server directly or via proxy, supporting SSL/TLS if configured.
5. Plugin Orchestrator: After establishing a TCP connection, the backdoor sends system data to the C2 server, which responds with the Plugin Orchestrator. This orchestrator gathers additional data (domain name, memory usage, locale, etc.) and checks for elevated privileges.
6. Plugins: The backdoor uses DLL-based plugins, exporting three methods via ordinals. The orchestrator injects the plugin DLL into memory, initializes it, and executes its functionality. Five plugins were analyzed, enabling file/system access, payload delivery, and remote control.
7. Attack Attribution: Eagerbee was deployed in East Asian organizations, with two breaches linked to the ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers. Overlapping C2 domains and consistent service creation suggest a connection to the CoughingDown threat group.

What Undercode Say:

The emergence of the Eagerbee backdoor underscores the increasing sophistication of cyberattacks targeting critical infrastructure and government entities. This malware exemplifies the growing trend of modular backdoors, where threat actors leverage plugins to extend functionality and adapt to different environments.

Key Insights:

1. Targeted Attacks: The focus on ISPs and government entities in the Middle East highlights the strategic importance of these sectors to threat actors. By compromising ISPs, attackers can potentially intercept communications, monitor activities, and launch further attacks.
2. Evolving Tactics: The use of a service injector and plugins demonstrates a shift toward more modular and flexible malware. This approach allows attackers to customize their tools for specific targets and evade detection by security solutions.
3. ProxyLogon Exploitation: The link to the ProxyLogon vulnerability emphasizes the continued exploitation of known vulnerabilities in widely used software. Organizations must prioritize patch management and vulnerability assessments to mitigate such risks.
4. Attribution Challenges: While the connection to the CoughingDown threat group is assessed with medium confidence, attribution remains complex. Overlapping C2 domains and tactics suggest potential collaboration or shared resources among threat actors.
5. Operational Security: The backdoor’s use of XOR-encoded configurations, mutexes, and time checks reflects a high level of operational security. These techniques complicate analysis and detection, requiring advanced threat-hunting capabilities.

Recommendations:

– Patch Management: Ensure timely patching of known vulnerabilities, especially in critical systems like Exchange servers.
– Network Monitoring: Implement robust network monitoring to detect unusual traffic patterns, such as connections to unknown C2 servers.
– Endpoint Protection: Deploy advanced endpoint protection solutions capable of detecting and blocking memory injection techniques.
– Threat Intelligence: Leverage threat intelligence to stay informed about emerging threats and tactics used by threat actors.
– Incident Response: Develop and regularly test incident response plans to ensure rapid containment and remediation of breaches.

The Eagerbee backdoor serves as a stark reminder of the persistent and evolving nature of cyber threats. As attackers continue to refine their techniques, organizations must adopt a proactive and multi-layered defense strategy to safeguard their critical assets and infrastructure.