Eagerbee backdoor deployed against Middle Eastern govt orgs, ISPs

Share:

New variants of the Eagerbee malware framework are being deployed against government organizations and internet service providers (ISPs) in the Middle East.

Previously, the malware was seen in attacks conducted by Chinese state-backed threat actors who Sophos tracked as ‘Crimson Palace.’

According to a new report by Kaspersky researchers, there’s a potential connection to a threat group they call ‘CoughingDown,’ based on code similarities and IP address overlaps.

“Because of the consistent creation of services on the same day via the same webshell to execute the EAGERBEE backdoor and the CoughingDown Core Module, and the C2 domain overlap between the EAGERBEE backdoor and the CoughingDown Core Module, we assess with medium confidence that the EAGERBEE backdoor is related to the CoughingDown threat group” explains Kaspersky

The Eagerbee malware framework

Kaspersky couldn’t determine the initial access vector in the Middle East attacks but reports that, in previous cases, two East Asian organizations were breached via the exploitation of the Microsoft Exchange ProxyLogon flaw (CVE-2021-26855).

The attack involves the deployment of an injector (tsvipsrv.dll) dropped in the system32 directory to load the payload file (ntusers0.dat).

Upon system start, Windows executes the injector, which then abuses the ‘Themes’ service, as well as SessionEnv, IKEEXT, and MSDTC, to write the backdoor payload in memory using DLL hijacking.

Backdoor loading sequence
Backdoor loading sequence
Source: Kaspersky

The backdoor can be configured to execute at specific times, but Kaspersky says it was set to run 24/7 in the observed attacks.

Eagerbee appears on the infected system as ‘dllloader1x64.dll’ and immediately begins collecting basic information like OS details and network addresses.

Upon initialization, it establishes a TCP/SSL channel with the command-and-control (C2) server from where it can receive additional plugins that extend its functionality.

The plugins are injected into memory by a plugin orchestrator (ssss.dll), which manages their execution.

The five plugins documented by Kaspersky are the following:

  1. File Manager Plugin: Handles file system operations, including listing, renaming, moving, copying, and deleting files or directories. It can adjust file permissions, inject additional payloads into memory, and execute command lines. It also retrieves detailed file and folder structures and manages volume labels and timestamps.
  2. Process Manager Plugin: Manages system processes by listing running processes, launching new ones, and terminating existing ones. It can execute command lines or modules in the security context of specific user accounts.
  3. Remote Access Manager Plugin: Facilitates remote access by enabling RDP sessions, maintaining concurrent RDP connections, and providing command shell access. It also downloads files from specified URLs and injects command shells into legitimate processes for stealth.
  4. Service Manager Plugin: Controls system services by creating, starting, stopping, deleting, or enumerating them. It can manage both standalone and shared service processes while collecting service status details.
  5. Network Manager Plugin: Monitors and lists active network connections, gathering details like state, local/remote addresses and ports, and associated process IDs for both IPv4 and IPv6 protocols.

Overall, Eagerbee is a stealthy and persistent threat that has extensive capabilities on compromised systems.

The same backdoor-loading chain was also discovered in Japan, so the attacks are global.

Organizations should patch ProxyLogon on all Exchange servers and use the indicators of compromise listed in Kaspersky’s report to catch the threat early.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
9:49 am, Jul 11, 2025
weather icon 26°C
L: 24° | H: 28°
few clouds
Humidity: 53 %
Pressure: 1021 mb
Wind: 4 mph SSE
Wind Gust: 7 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 13%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
24° | 28°°C 0 mm 0% 8 mph 52 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 10:00 am
weather icon
25° | 26°°C 0 mm 0% 3 mph 52 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
27° | 29°°C 0 mm 0% 3 mph 47 % 1021 mb 0 mm/h
Today 4:00 pm
weather icon
30° | 31°°C 0 mm 0% 5 mph 34 % 1019 mb 0 mm/h
Today 7:00 pm
weather icon
28° | 28°°C 0 mm 0% 5 mph 28 % 1017 mb 0 mm/h
Today 10:00 pm
weather icon
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
weather icon
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
weather icon
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€100,830.54
5.96%
Ethereum(ETH)
€2,553.26
7.01%
Tether(USDT)
€0.85
0.01%
XRP(XRP)
€2.21
5.39%
Solana(SOL)
€139.88
3.03%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.168540
8.14%
Shiba Inu(SHIB)
€0.000011
6.28%
Pepe(PEPE)
€0.000011
14.34%
Peanut the Squirrel(PNUT)
€0.246894
20.17%
Scroll to Top