Summary:
Kaspersky researchers recently identified a campaign being deployed against ISPs and governmental entities in the Middle East following their investigation into the EAGERBEE backdoor. This analysis uncovered new components utilized in these attacks including an undocumented service injector designed to inject the backdoor into a running service and 5 plugins injected into memory following the backdoor’s installation that enable a range of malicious activities. These activities include deploying additional payloads, exploring file systems, and executing command shells. This analysis of the EAGERBEE backdoor emphasizes the novel service injector and Plugin Orchestrator module. It also provides evidence of potential connections between EAGERBEE backdoor and CoughingDown threat group infrastructure.

Although the initial access vector utilized by the attackers is unclear, they were observed executing commands to deploy the backdoor injector in the system32 directory and using the remote desktop configuration service called SessionEnv to run the injector. Upon system start, Windows executes the injector, which then abuses the 'Themes' service, as well as SessionEnv, IKEEXT, and MSDTC, to write the backdoor payload in memory using DLL hijacking. In the observed attacks, the backdoor was set to execute 24/7. Eagerbee appears on the infected system as 'dllloader1x64.dll' and immediately begins collecting basic information like OS details and network addresses. Once initial access is achieved, EAGERBEE is difficult to detect, and is a persistent threat that can cause significant damage to the confidentiality, integrity, and availability of an organization’s data.

Security Officer Comments:
The utilization of modular plugins following the deployment of the EAGERBEE backdoor underscores the campaign’s multi-stage infection process and persistence. Yoshihiro Ishikawa from Lac Watch already discovered this same infection chain in an attack against organizations in Japan, signifying that this is a global threat targeting multiple countries. EAGERBEE was deployed in several organizations in East Asia. Two of these organizations were breached via the infamous ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers, after which malicious webshells were uploaded and utilized to execute commands on the breached servers. Organizations are recommended to patch ProxyLogon on all Microsoft Exchange servers and use the indicators of compromise listed in Kaspersky's report to detect the threat early.

Suggested Corrections:
IOCs for this campaign are available here.

• Use strong passwords: Use a password manager to create strong, unique passwords, and enable two-factor authentication.
• Use a firewall: A firewall monitors incoming and outgoing traffic and can block suspicious activity.
• Use an anti-malware program: An anti-malware program can detect and remove viruses, malware, and Trojans.
• Monitor the network and use endpoint protection software: Have a network monitoring policy in place to audit security solutions and update technology.
• Implement access controls: Limit user privileges to prevent unauthorized access.

Link(s):
https://www.bleepingcomputer.com/news/security/eagerbee-backdoor-deployed-against-middle-eastern-govt-orgs-isps/

https://securelist.com/eagerbee-backdoor/115175/

https://www.lac.co.jp/lacwatch/report/20240605_004019.html