Cybercrime,
Fraud Management & Cybercrime,
Governance & Risk Management
Kaspersky Reports Updated EagerBee Malware Campaign Targeting Organizations in the Middle East
Security researchers have issued a warning regarding a renewed malware campaign utilizing an upgraded variant of EagerBee, which is specifically targeting internet service providers and government entities within the Middle Eastern region. This heightened threat underscores the ongoing risks posed by sophisticated cyber adversaries.
The EagerBee malware operates primarily in memory and is equipped with advanced capabilities to evade detection and stealthily extract sensitive information. According to Kaspersky, the most recent version identified features plugins that can siphon off a broad spectrum of data. The infrastructure observed in this campaign suggests a connection to the CoughingDown threat group, though details about this group remain largely unidentified. Some experts have tentatively linked this variant to a Chinese threat actor known as TA428.
EagerBee first surfaced in 2023 when Elastic security firm reported its activity as part of a cyber campaign aimed at organizations in Mongolia. This malware framework is believed to have been active since at least 2022 and has ties to multiple groups, including those tracked under names such as LuckyMouse, Emissary Panda, and APT27, all notably associated with Chinese state-sponsored hacking efforts.
While Kaspersky investigators could not definitively confirm the initial entry method used by these hackers, evidence suggests that at least two victims fell prey via the Microsoft Exchange ProxyLogon vulnerability. Researchers noted, “Although the primary ingress point used by the attackers is not fully understood, we have documented how they executed commands to implement the backdoor.”
The cybercriminal operation proceeds by employing a remote desktop configuration, allowing the malware to collect crucial system details and ascertain proxy settings. Should proxy information be accessible, the backdoor utilizes this to connect; otherwise, it establishes a direct link to the command and control (C2) server.
Once connected, EagerBee employs a TCP socket to exfiltrate system data. The malware server deploys a payload known as the plugin orchestrator into the system’s memory, verifying whether the necessary plugins are operational. Following this verification, the orchestrator installs a variety of functionalities, including file management, process manipulation, and network management, enabling extensive operational capabilities such as file transfers and process terminations.
Addressing the ProxyLogon vulnerability should be a priority for organizations to mitigate the impact of the latest EagerBee threats, Kaspersky emphasizes. In light of these developments, it is crucial for business leaders to remain vigilant and enhance their cybersecurity measures against persistent threats like EagerBee, rooted in sophisticated adversary tactics identified within the MITRE ATT&CK framework, including initial access and remote execution strategies.
