Chinese Hackers Target Middle East with Advanced Eagerbee Malware Campaign

Chinese Hackers Target Middle East with Advanced Eagerbee Malware Campaign

New Eagerbee Malware Variants Target Middle Eastern Organizations

Security researchers have identified new variants of the Eagerbee malware framework targeting government organizations and Internet Service Providers (ISPs) in the Middle East. The sophisticated attacks show potential links to the Chinese state-backed threat group ‘Crimson Palace’ and another group known as ‘CoughingDown.’

Technical Analysis

The malware deployment begins with an injector (tsvipsrv.dll) placed in the system32 directory, which loads the payload file (ntusers0.dat). The infection chain exploits Windows services through DLL hijacking, including Themes, SessionEnv, IKEEXT, and MSDTC services.

Key Capabilities:
– Continuous 24/7 operation
– Basic system information collection
– TCP/SSL channel establishment with C2 servers
– Plugin-based functionality expansion

Core Plugins and Functions:
1. File Manager: Complete file system control and manipulation
2. Process Manager: Process creation, termination, and management
3. Remote Access Manager: RDP session control and command shell access
4. Service Manager: System service administration
5. Network Manager: Network connection monitoring and analysis

Global Impact

While primarily targeting Middle Eastern organizations, the malware has also been detected in Japan. Previous attacks utilized the Microsoft Exchange ProxyLogon vulnerability (CVE-2021-26855) as an entry point.

Security Recommendations:
– Patch Exchange servers against ProxyLogon vulnerability
– Monitor systems using Kaspersky’s provided indicators of compromise
– Implement robust network monitoring and security controls

The Eagerbee framework represents a persistent and sophisticated threat requiring immediate attention from cybersecurity teams worldwide.

Share This Article