Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Eagerbee backdoor targets govt entities and ISPs in the Middle East

Experts spotted new variants of the Eagerbee backdoor being used in attacks on government organizations and ISPs in the Middle East. Kaspersky researchers reported that new variants of the Eagerbee backdoor being used in attacks against Internet Service Providers (ISPs) and government entities in the Middle East. The Kaspersky’s analysis revealed new attack components, including […]

EAGERBEE backdoor

Experts spotted new variants of the Eagerbee backdoor being used in attacks on government organizations and ISPs in the Middle East.

Kaspersky researchers reported that new variants of the Eagerbee backdoor being used in attacks against Internet Service Providers (ISPs) and government entities in the Middle East.

The Kaspersky’s analysis revealed new attack components, including a service injector for backdoor deployment and plugins for payload delivery, file/system access, and remote control.

The initial access method is still unknown, but threat actors deployed a backdoor injector, tsvipsrv.dll, and payload ntusers0.dat via the SessionEnv service.

EAGERBEE backdoor

The service injector targets the Themes service, injecting the EAGERBEE backdoor into its memory along with the stub code to decompress the malware. It decompresses and executes the backdoor via a stub, then cleans up by restoring the original handler.

The backdoor, named dllloader1x64.dll, gathers system information, including NetBIOS name, OS details, processor architecture, and IP addresses. It uses a mutex (mstoolFtip32W) to ensure a single instance and includes a time check to plan the execution within a specified weekly schedule. However, it’s configured to run 24/7 in observed cases, checking every 15 seconds if outside the allowed execution window.

The configuration of the malware is stored in a file or hardcoded in the backdoor binary, it includes C2 server details decoded using XOR. The malicious code retrieves proxy settings from the registry, connects via proxy or directly to the C2 server, and supports SSL/TLS if configured. After establishing a TCP connection, it sends system data to the C2, which responds with the Plugin Orchestrator. The backdoor verifies the response and executes the payload without mapping it into memory.

The orchestrator injects itself, gathers additional data (domain name, memory usage, locale, time zone, process details, and plugin IDs), and reports to the C2 server. It also checks for elevated privileges and collects details on all running processes, including process IDs, thread counts, parent processes, and executable paths.

The backdoor uses plugins in the form of DLL files and export three methods using ordinals. The plugin orchestrator starts by invoking the exported method of the plugin with the ordinal number 3.

The method injects the plugin DLL into memory, initializes it via the DllMain method (ordinal 1), and then executes its functionality using the method at ordinal 2.

The orchestrator can send commands to execute to the plugins, the researchers analyzed five plugins used by the backdoor:

  1. File Manager Plugin: Handles file system operations and can modify file permissions, inject additional payloads into memory, and execute command lines.
  2. Process Manager Plugin: Manages system processes and can execute command lines or modules in the security context of specific user accounts.
  3. Remote Access Manager Plugin: Facilitates remote access by enabling RDP sessions, it can also inject command shells into legitimate processes for stealth.
  4. Service Manager Plugin: Controls system services.
  5. Network Manager Plugin: Monitors and lists active network connections.

“EAGERBEE was deployed in several organizations in East Asia. Two of these organizations were breached via the infamous ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers, after which malicious webshells were uploaded and utilized to execute commands on the breached servers.” concludes the report. “Because of the consistent creation of services on the same day via the same webshell to execute the EAGERBEE backdoor and the CoughingDown Core Module, and the C2 domain overlap between the EAGERBEE backdoor and the CoughingDown Core Module, we assess with medium confidence that the EAGERBEE backdoor is related to the CoughingDown threat group.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Eagerbee backdoor)