Bitdefender has detected a new fileless malware dubbed EggStreme, employed by a China-based advanced persistent threat (APT) group, targeting the Philippine military and various organizations across the Asia-Pacific region.
Researchers from Bitdefender discovered the EggStreme malware framework during an investigation into a breach at a Philippine military contractor. The malware is designed as a cohesive system rather than a collection of isolated threats. It operates sequentially, starting with a loader named EggStremeFuel, which sets up the necessary environment for subsequent stages. Ultimately, the attackers deploy EggStremeAgent, a sophisticated backdoor capable of performing reconnaissance, exfiltrating data, and altering or deleting critical files.
Fileless Malware
In a technical report released by Bitdefender, it was indicated that EggStreme executes malware in a fileless manner. Although some encrypted modules can be found stored on disk, the malicious payloads are decrypted and activated directly in memory. This execution method, coupled with techniques like DLL sideloading, makes detection significantly more challenging for cybersecurity defenses.
The primary backdoor, EggStremeAgent, is equipped with 58 commands, enabling it to gather system information, manipulate files, execute commands, and inject additional malware. Each time a new user session initiates, it injects a keylogger into explorer.exe, allowing it to capture keystrokes and clipboard content. The backdoor communicates with command-and-control servers via encrypted gRPC (Google Remote Procedure Call) channels, further obfuscating its operations.
EggStremeWizard Backdoor and Stowaway Proxy
To strengthen their foothold, the attackers deploy a secondary backdoor named EggStremeWizard. This lightweight tool utilizes another DLL sideloading technique involving xwizard.exe and maintains a list of fallback servers. Paired with a proxy tool named Stowaway, this framework allows attackers to navigate traffic within the victim’s network, evading segmentation and firewall controls.
Bitdefender has noted that this cyber campaign remains active and urges organizations in the region to utilize the published indicators of compromise. Essential technical information is accessible via Bitdefender’s IntelliZone Portal.
Cyber Attacks Against The Philippines
The Philippines has been facing a sustained wave of cyber threats, not solely from sophisticated toolkits like EggStreme but also from broader hacktivist and disinformation campaigns linked to ongoing tensions in the South China Sea. The nation has seen cyberattacks surge by over 300% in early 2024, coinciding with these disputes. The emergence of the EggStreme malware underscores that the threats are part of a larger, ongoing assault against the country’s cyber and military infrastructure.
Considering the tactics employed in this attack, it is likely that tactics outlined in the MITRE ATT&CK framework, such as initial access, persistence techniques, and privilege escalation were utilized by the threat actors. The complexities introduced by the EggStreme framework reveal a deliberate approach to data exfiltration and network infiltration, indicative of a well-resourced APT group focused on surveillance and disruption.
