Internet service providers (ISPs) and government organizations in the Middle East have been targeted using an updated variant of the EAGERBEE malware system.
A new version of EAGERBEE (aka Tumtais) comes with various components that allow the backdoor to deploy additional payloads, enumerate filesystems, and execute shell commands, showing significant evolution.
“The main plug-ins can be divided according to their functionality into the following groups: plug-in orchestrator, file system manipulation, remote access manager, process study, list of network connections and service management,” Kaspersky researchers Saurabh Sharma and Vasil Berdnikov note. said in the analysis.
Backdoor has been rated with medium confidence by a Russian cybersecurity firm called CoughingDown.
EAGERBEE was documented for the first time Elastic Security Labs, attributing it to a state-sponsored, espionage-oriented intrusion kit called REF5961. A “technically simple backdoor” with forward and reverse C2 and SSL encryption capabilities, it is designed to perform a basic system enumeration and deliver the following executables for post-exploitation.
A variant of the malware was later spotted in attacks by a Chinese state threat cluster tracked as Cluster Alpha as part of a wider cyber espionage operation codenamed Raspberry Palace in order to steal important military and political secrets from a high-ranking government organization in Southeast Asia.
The Alpha cluster, according to Sophos, overlaps with threat clusters tracked as BackdoorDiplomacy, REF5961, Worok and TA428. BackdoorDiplomacy is known to show tactical similarities with another Chinese-speaking group under a code name Cloud computing (aka Faking Dragon) attributed to a multi-plugin malware system called QSC in attacks targeting the telecommunications industry in South Asia.
“QSC is a modular structure where only the bootloader remains on disk and the kernel and network modules are always in memory” – Kaspersky noted in November 2024. “Using a plugin-based architecture gives attackers the ability to control which plugin (module) is loaded into memory on demand based on their target of interest.”
In the latest set of attacks involving EAGERBEE, the injector DLL is designed to launch a backdoor module, which is then used to collect system information and output details to a remote server connected to via a TCP socket.
The server then responds to the Plugin Orchestrator, which, in addition to passing system-related information to the server (such as the NetBIOS domain name; physical and virtual memory usage; and system locale and time zone settings), collects detailed information about running processes and waits for further instructions –
- Get and insert plugins into memory
- Unload a specific plugin from memory, remove a plugin from the list
- Remove all plugins from the list
- Check if the plugin is loaded or not
“All plugins are responsible for receiving and executing commands from the orchestrator,” the researchers said, adding that they perform file operations, manage processes, maintain remote connections, manage system services, and list network connections.
Kaspersky said it also observed EAGERBEE being deployed to several organizations in East Asia, two of which were compromised using the ProxyLogon vulnerability (CVE-2021-26855) to drop web shells that were then used to execute commands on servers , which eventually led to a backdoor deployment.
“Among them is EAGERBEE, a malware system designed primarily to operate in memory,” the researchers noted. “This resident architecture extends its stealth capabilities, helping to avoid detection by traditional endpoint security solutions.”
“EAGERBEE also hides its activity in a command shell, injecting malicious code into legitimate processes. These tactics allow malware to seamlessly integrate into normal system operations, making identification and analysis much more difficult.”
