09/68 Wednesday, January 8, 2025
Kaspersky security researchers have disclosed details about EagerBee, a backdoor malware developed to enhance its stealth capabilities and post-infection operations. This malware has been used to attack key organizations in Middle Eastern countries, with attackers targeting Internet Service Providers (ISPs) and government agencies. EagerBee demonstrates advanced technological capabilities by operating in memory to evade detection. It also conceals its operations by injecting malicious code into legitimate processes, such as explorer.exe. The malware features newly developed functionalities and numerous plugins designed for malicious activities, including deploying additional payloads, exploring file systems, executing shell commands, and managing system services. Additionally, the malware can seamlessly inject the backdoor into active services.
Saurabh Sharma, a senior security researcher at Kaspersky, stated that this malware was designed with a high level of sophistication, capable of gathering information from infected systems and reporting back to the command-and-control (C2) server. The collected data includes memory details, file system information, and access privileges. Kaspersky’s analysis indicates that EagerBee is linked to the Chinese cyber threat group known as CoughingDown, which has previously targeted organizations in Southeast Asia using earlier versions of the backdoor to steal sensitive military and political data.
Although researchers have not identified the exact method of malware distribution in this attack, previous incidents have shown that attackers have exploited the ProxyLogon vulnerability in Microsoft Exchange Server, a commonly used technique to gain unauthorized network access. The development of this new version of EagerBee highlights the technical advancements of cyber threat actors, serving as a warning for organizations to strengthen their cybersecurity measures in response to increasingly sophisticated attacks.
