Eagerbee backdoor deployed against Middle Eastern govt orgs, ISPs

Share:

New variants of the Eagerbee malware framework are being deployed against government organizations and internet service providers (ISPs) in the Middle East.

Previously, the malware was seen in attacks conducted by Chinese state-backed threat actors who Sophos tracked as ‘Crimson Palace.’

According to a new report by Kaspersky researchers, there’s a potential connection to a threat group they call ‘CoughingDown,’ based on code similarities and IP address overlaps.

“Because of the consistent creation of services on the same day via the same webshell to execute the EAGERBEE backdoor and the CoughingDown Core Module, and the C2 domain overlap between the EAGERBEE backdoor and the CoughingDown Core Module, we assess with medium confidence that the EAGERBEE backdoor is related to the CoughingDown threat group” explains Kaspersky

The Eagerbee malware framework

Kaspersky couldn’t determine the initial access vector in the Middle East attacks but reports that, in previous cases, two East Asian organizations were breached via the exploitation of the Microsoft Exchange ProxyLogon flaw (CVE-2021-26855).

The attack involves the deployment of an injector (tsvipsrv.dll) dropped in the system32 directory to load the payload file (ntusers0.dat).

Upon system start, Windows executes the injector, which then abuses the ‘Themes’ service, as well as SessionEnv, IKEEXT, and MSDTC, to write the backdoor payload in memory using DLL hijacking.

Backdoor loading sequence
Backdoor loading sequence
Source: Kaspersky

The backdoor can be configured to execute at specific times, but Kaspersky says it was set to run 24/7 in the observed attacks.

Eagerbee appears on the infected system as ‘dllloader1x64.dll’ and immediately begins collecting basic information like OS details and network addresses.

Upon initialization, it establishes a TCP/SSL channel with the command-and-control (C2) server from where it can receive additional plugins that extend its functionality.

The plugins are injected into memory by a plugin orchestrator (ssss.dll), which manages their execution.

The five plugins documented by Kaspersky are the following:

  1. File Manager Plugin: Handles file system operations, including listing, renaming, moving, copying, and deleting files or directories. It can adjust file permissions, inject additional payloads into memory, and execute command lines. It also retrieves detailed file and folder structures and manages volume labels and timestamps.
  2. Process Manager Plugin: Manages system processes by listing running processes, launching new ones, and terminating existing ones. It can execute command lines or modules in the security context of specific user accounts.
  3. Remote Access Manager Plugin: Facilitates remote access by enabling RDP sessions, maintaining concurrent RDP connections, and providing command shell access. It also downloads files from specified URLs and injects command shells into legitimate processes for stealth.
  4. Service Manager Plugin: Controls system services by creating, starting, stopping, deleting, or enumerating them. It can manage both standalone and shared service processes while collecting service status details.
  5. Network Manager Plugin: Monitors and lists active network connections, gathering details like state, local/remote addresses and ports, and associated process IDs for both IPv4 and IPv6 protocols.

Overall, Eagerbee is a stealthy and persistent threat that has extensive capabilities on compromised systems.

The same backdoor-loading chain was also discovered in Japan, so the attacks are global.

Organizations should patch ProxyLogon on all Exchange servers and use the indicators of compromise listed in Kaspersky’s report to catch the threat early.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
11:56 pm, Jun 22, 2025
weather icon 19°C
L: 18° | H: 20°
scattered clouds
Humidity: 69 %
Pressure: 1011 mb
Wind: 14 mph SW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 40%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:43 am
Sunset: 9:21 pm
DailyHourly
Daily ForecastHourly Forecast
Tomorrow 10:00 pm
weather icon
18° | 20°°C 0.66 mm 66% 14 mph 73 % 1016 mb 0 mm/h
Tue Jun 24 10:00 pm
weather icon
13° | 24°°C 0.2 mm 20% 14 mph 81 % 1016 mb 0 mm/h
Wed Jun 25 10:00 pm
weather icon
16° | 28°°C 0 mm 0% 11 mph 88 % 1014 mb 0 mm/h
Thu Jun 26 10:00 pm
weather icon
17° | 25°°C 1 mm 100% 15 mph 84 % 1018 mb 0 mm/h
Fri Jun 27 10:00 pm
weather icon
15° | 28°°C 0 mm 0% 15 mph 70 % 1020 mb 0 mm/h
Tomorrow 1:00 am
weather icon
18° | 19°°C 0 mm 0% 13 mph 69 % 1011 mb 0 mm/h
Tomorrow 4:00 am
weather icon
17° | 18°°C 0.66 mm 66% 14 mph 73 % 1011 mb 0 mm/h
Tomorrow 7:00 am
weather icon
15° | 16°°C 0.2 mm 20% 13 mph 65 % 1012 mb 0 mm/h
Tomorrow 10:00 am
weather icon
18° | 18°°C 0 mm 0% 13 mph 45 % 1014 mb 0 mm/h
Tomorrow 1:00 pm
weather icon
20° | 20°°C 0 mm 0% 13 mph 32 % 1014 mb 0 mm/h
Tomorrow 4:00 pm
weather icon
23° | 23°°C 0 mm 0% 14 mph 30 % 1014 mb 0 mm/h
Tomorrow 7:00 pm
weather icon
21° | 21°°C 0 mm 0% 14 mph 40 % 1015 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
17° | 17°°C 0 mm 0% 11 mph 55 % 1016 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€87,356.54
-1.13%
Ethereum(ETH)
€1,932.08
-2.71%
Tether(USDT)
€0.87
0.00%
XRP(XRP)
€1.74
-2.58%
Solana(SOL)
€114.34
-1.73%
USDC(USDC)
€0.87
0.00%
Dogecoin(DOGE)
€0.130374
-2.34%
Shiba Inu(SHIB)
€0.000009
-3.37%
Pepe(PEPE)
€0.000008
-3.99%
Peanut the Squirrel(PNUT)
€0.218233
13.10%
Scroll to Top