Authors
Introduction
In our recent investigation into the EAGERBEE backdoor, we found that it was being deployed at ISPs and governmental entities in the Middle East. Our analysis uncovered new components used in these attacks, including a novel service injector designed to inject the backdoor into a running service. Additionally, we discovered previously undocumented components (plugins) deployed after the backdoor’s installation. These enabled a range of malicious activities such as deploying additional payloads, exploring file systems, executing command shells and more. The key plugins can be categorized in terms of their functionality into the following groups: Plugin Orchestrator, File System Manipulation, Remote Access Manager, Process Exploration, Network Connection Listing and Service Management.
In this blog, we provide a detailed analysis of the EAGERBEE backdoor’s capabilities, focusing on the service injector, Plugin Orchestrator module and associated plugins. We also explore potential connections of the EAGERBEE backdoor with the CoughingDown threat group.
Initial infection and spread
Unfortunately, the initial access vector used by the attackers remains unclear. However, we observed them executing commands to deploy the backdoor injector named “tsvipsrv.dll” along with the payload file ntusers0.dat, using the SessionEnv service to run the injector, as can be seen below.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
//change the creation, last access and write time, timestamp of the file to "1/8/2019 9:57" attrib.exe -s -h -a C:\users\public\ntusers0.dat powershell.exe -Command "='1/8/2019 9:57'; = 'C:\users\public\ntusers0.dat';(Get-Item ).creationtime = ;(Get-Item ).lastaccesstime = ;(Get-Item ).lastwritetime = " //set the attributes of the file (EAGERBEE backdoor) to archive (+a), system file (+s) and //hidden (+h) attrib.exe +s +h +a C:\users\public\ntusers0.dat //set the attributes of the file (loader) to archive (+a), system file (+s) and hidden //(+h) attrib.exe +s +h +a system32\tsvipsrv.dll //the malware runs now because of a DLL hijacking vulnerability, as the libraries in the //system32 directory where the malicious library is located are the first to load net.exe stop sessionenv cmd.exe /c "sc config sessionenv Start= auto" net.exe start sessionenv attrib.exe -s -h -a C:\users\public\ntusers0.dat net.exe use \\<<internal ip>>\c$ <password> /user:<username> attrib.exe +s +h +a C:\users\public\ntusers0.dat attrib.exe +s +h +a \\172.17.1.127\c$\users\public\ntusers0.dat attrib.exe -s -h -a system32\tsvipsrv.dll attrib.exe +s +h +a system32\tsvipsrv.dll attrib.exe +s +h +a \\172.17.1.127\c$\windows\system32\tsvipsrv.dll attrib.exe -s -h -a \\172.17.1.127\c$\windows\system32\tsvipsrv.dll attrib.exe +s +h +a \\172.17.1.127\c$\windows\system32\ |
Malware components
Service injector
The service injector targets the Themes service process. It first locates and opens the process, then allocates memory within it to write EAGERBEE backdoor bytes (stored in C:\users\public\ntusers0.dat) along with stub code bytes. The stub code is responsible for decompressing the backdoor bytes and injecting them into the service process memory.
To execute the stub code, the injector replaces the original service control handler with the address of the stub code in the service process memory. The stub is then triggered by sending a SERVICE_CONTROL_INTERROGATE control code to the service. After the stub completes its execution, the injector cleans up by removing the stub code from the service memory and restoring the original service control handler.
EAGERBEE backdoor
When we found the backdoor in the infected system, it was named dllloader1x64.dll. It can create a mutex with the name mstoolFtip32W if one doesn’t exist yet. After that, it starts collecting information from the system: the NetBIOS name of the local computer, OS information (major and minor version numbers, build number, platform identifier, and information about product suites and the latest service pack installed on the system), product type for the operating system on the local computer, processor architecture, and list of IPv4 and IPv6 addresses.
The backdoor has an execution day and time check. It compares the current system day and hour to the hardcoded string 0-6:00:23;6:00:23;, where the numbers mean the following:
- 0: start day of the week;
- 6: end day of the week;
- 00: start hour;
- 23: end hour.
If the execution day and hour do not match, it sleeps for 15 seconds and checks again. In the cases we’ve seen, the backdoor is configured to run 24/7.
The backdoor configuration is either stored in C:\Users\Public\iconcache.mui or hardcoded within the binary. If stored in the file, the first byte serves as the XOR key to decode the remaining data. When hardcoded, the configuration is decoded using a single-byte XOR key (0x57). This configuration includes the command-and-control (C2) hostname and port.
The backdoor retrieves the proxy host and port information for the current user by reading the registry key Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer. If proxy details are available, the backdoor connects through the proxy; otherwise it connects to the C2 server directly.
To establish communication, the backdoor creates a TCP socket capable of operating over both IPv4 and IPv6. If the C2 port has an “s” appended, an SSL session is initiated. Depending on the configuration, it may use the SCHANNEL security package, which supports SSL and TLS encryption on Windows. In this mode, it can validate server credentials (passive mode) or use local client credentials to prepare an outgoing token (active mode).
Once a connection is established, the backdoor transmits the previously collected victim-specific details to the C2 server. The server responds with a string followed by a payload known as the Plugin Orchestrator. If the response string matches a hardcoded value in the backdoor (unique to each sample), the backdoor retrieves the raw address of the first export method in the received payload and invokes it. Notably, at this stage, the payload (Plugin Orchestrator) is not yet mapped into memory.
Plugin Orchestrator
The payload downloaded by the EAGERBEE backdoor is a plugin orchestrator in the form of a DLL file with the internal name “ssss.dll” which exports a single method: “m”. As previously mentioned, EAGERBEE does not map the plugin orchestrator DLL directly into memory. Instead, it retrieves the raw address of the “m” export method and invokes it.
The “m” method of the plugin orchestrator DLL is responsible for injecting the orchestrator into memory and subsequently calling its entry point. In addition to the victim-specific data already collected, the plugin orchestrator gathers and reports to the C2 server the following additional information:
- The NetBIOS name of the domain;
- Current usage of physical and virtual memory;
- System locale and time zone settings;
- Windows character encoding;
- The current process identifier;
- Identifiers for any loaded plugins.
After transmitting this information, the plugin orchestrator also reports whether the current process has elevated privileges. It then collects details about all running processes on the system, including:
- Process identifiers;
- The number of execution threads started by each process;
- The identifier of the parent process;
- The fully qualified path of each process executable.
Once the information is sent, the plugin orchestrator waits for commands to execute. The following commands are supported:
| Command | Description |
| 06 | This command supports several sub-commands:
2: Receive and inject plugins into memory. There can be multiple plugins loaded one after another. Each plugin has an identifier. 3: Unload a specific plugin from memory, remove the plugin from the list, and free the plugin code bytes. 4: No operation. 5: Remove all plugins from the list and free the plugin code bytes. |
| 07 and 09 | Check if the plugin is loaded or not. If the plugin is loaded, then call the specified export method of the plugin. If the plugin is not loaded, then check if the plugin has been received, then load it, and call the specified export method. Otherwise, just make a plugin entry. |
Plugins
The plugins are DLL files and export three methods using ordinals. The plugin orchestrator first calls the exported method of the plugin with the ordinal number 3. This method is responsible for injecting the plugin DLL into memory. After that, the orchestrator calls the exported method of the plugin with the ordinal number 1, which is the DllMain method. This method initializes the plugin with the required data structures. Finally, it calls the exported method of the plugin with the ordinal number 2. This method implements the functionality of the plugin.
All the plugins are responsible for receiving and executing commands from the orchestrator. Below, we provide brief descriptions of the analyzed plugins and the commands supported by each of them.
File Manager Plugin
This plugin performs a wide range of file system functions, including:
- Listing drives, files and folders in the system;
- Renaming, moving, copying and deleting files;
- Setting ACLs to manage file and folder permissions;
- Reading and writing files to and from the system;
- Injecting additional payloads into memory.
The table below contains commands it accepts.
| Command | Description |
| 0x02 |
|
| 0x06 |
|
| 0x07 |
|
| 0x08 |
|
| 0x09 |
|
| 0x0A (10) |
|
| 0x0B (11) |
|
| 0x0C (12) |
|
| 0xD (13) |
|
| 0x0F (15) |
|
| 0x14 (20) |
|
| 0x22 (34) |
|
| 0x23 (35) |
|
| 0x24 (36) |
|
| 0x26 (38) |
|
Process Manager
This plugin manages process-related activities such as:
- Listing running processes in the system;
- Launching new modules and executing command lines;
- Terminating existing processes.
It accepts four commands.
| Command | Description |
| 0x10 (16) |
|
| 0x11 (17) |
|
| 0x1E (30) |
|
| 0x26 (38) |
|
Remote Access Manager
This plugin facilitates and maintains remote connections, while also providing command shell access.
| Command | Description |
| 0x0B (11) |
|
| 0x0D (13) |
|
| 0x1D (29) |
|
| 0x1E (30) |
|
| 0x21 (33) |
|
The attackers launch the command shell by injecting cmd.exe into the DllHost.exe process. The commands below were seen executed by the threat actor:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
//list all users and users in the local admin group net user net localgroup administrators //obtain system- and account-related information; the "dsquery" command implies that the //attacker got hold of a Windows server machine with the Active Directory Domain Services //(AD DS) server role installed. dsquery computer dsquery server dsquery users dsquery user systeminfo ping -n 1 <<computer name>> //establish a connection to a shared resource using stolen credentials net use \\<<ip in the network>>\admin$ <password> /user:<username> //archive the information from the shared resource rar.exe a -v100M idata001.rar -ta"20240101000000" -r -x"*.mp3" -x"*.dll" -x"*.exe" - x"*.zip" -x"*.mxf" -x"*.rar" "\\<<ip in the network>>\c$\Users\<<user name>>\Documents" "\\<<ip in the network>>\c$\Users\<<user name>>\Desktop" rar.exe a -v100M idata001.rar -ta"20240101000000" -r -x"*.mp3" -x"*.dll" -x"*.exe" - x"*.zip" -x"*.mp4" -x"*.rar" "\\<<ip in the network>>\c$\Users\<<user name>>\Documents" "<<ip in the network>>\c$\Users\<<user name>>\Desktop" |
Service Manager
This plugin manages system services, including installing, starting, stopping, deleting and listing them.
| Command | Description |
| 0x11 (17) |
|
| 0x12 (18) |
|
| 0x13 (19) |
|
| 0x14 (20) |
|
| 0x1E (30) |
|
Network Manager
This plugin lists the network connections in the system.
| Command | Description |
| 0x1E (30) | Get information about the list of IPv4 and IPv6 TCP and UDP connections:
|
Attribution
EAGERBEE was deployed in several organizations in East Asia. Two of these organizations were breached via the infamous ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers, after which malicious webshells were uploaded and utilized to execute commands on the breached servers.
In May 2023, our telemetry indicated the execution of multiple commands to start and stop system services at one of the affected organizations in East Asia. The attackers abused the legitimate Windows services MSDTC, IKEEXT and SessionEnv to execute malicious DLLs: oci.dll, wlbsctrl.dll and TSVIPSrv.dll, respectively.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
tasklist.exe net stop IKEEXT net start IKEEXT net start msdtc net stop msdtc net start msdtc NETSTAT.EXE -ano tasklist.exe ARP.EXE -a net.exe use \\[[IP REDACTED]]\admin$ ipconfig.exe /all net.exe stop IKEEXT //all privileges are assigned to the service IKEEXT, which loads the malicious DLL reg.exe add hklm\SYSTEM\CurrentControlSet\Services\IKEEXT /v RequiredPrivileges /t REG_MULTI_SZ /d SeAuditPrivilege\0SeBackupPrivilege\0SeRestorePrivilege\0SeTakeOwnershipPrivilege\0SeImper sonatePrivilege\0SeTcbPrivilege\0SeAssignPrimaryTokenPrivilege\0SeManageVolumePrivilege\0S eCreateSymbolicLinkPrivilege\0SeShutdownPrivilege /f net.exe start IKEEXT net.exe start IKEEXT NETSTAT.EXE -ano net.exe view net.exe stop IKEEXT net.exe start IKEEXT net.exe start IKEEXT net.exe start sessionenv net.exe stop sessionenv net.exe stop SessionEnv net.exe start SessionEnv net.exe start SessionEnv net.exe start SessionEnv net.exe start SessionEnv net.exe start SessionEnv net.exe stop SessionEnv net.exe stop SessionEnv |
According to our telemetry, the DLLs loaded and executed by the services IKEEXT and SessionEnv are loaders in nature, loading the EAGERBEE backdoor into memory. Similar EAGERBEE loaders targeting Japanese organizations have been described by another security vendor. Examples of files loaded by these services are provided below.
IKEEXT
| MD5 | File Name | Compilation Time | EAGERBEE Payload File |
| 5633cf714bfa4559c97fc31 3650f86dd |
wlbsctrl.dll | Monday, 23.05.2022 14:02:39 UTC) |
C:\Users\Public\Videos\< name>.mui |
| 3ccd5827b59ecd0043c112c 3aafb7b4b |
wlbsctrl.dll | Sunday, 01.01.2023 20:58:58 UTC |
%tmp%\*g.logs |
SessionEnv
| MD5 | File Name | Compilation Time | EAGERBEE Payload File |
| 67565f5a0ee1deffe0f3688 60be78e1e |
TSVIPSrv.dll | Wednesday, 25.05.2022 15:38:06 UTC |
C:\Users\Public\Videos\< name>.mui |
| 00d19ab7eed9a0ebcaab2c4 669bd34c2 |
TSVIPSrv.dll | Sunday, 01.01.2023 20:50:01 |
%tmp%\*g.logs |
The service MSDTC loaded and executed a DLL file named “ oci.dll”. By analyzing this file, we established that it was the CoughingDown Core Module.
| MD5 | File Name | Compilation Time | Description |
| f96a47747205bf25511ad96 c382b09e8 |
oci.dll | Thursday, 24.02.2022 05:18:05 UTC |
CoughingDown Core Module |
We found several clues linking the EAGERBEE backdoor to the CoughingDown group:
- One of the aforementioned DLLs, oci.dll (MD5 f96a47747205bf25511ad96c382b09e8), which is executed by abusing the legitimate MSDTC service, has a 25% match with CoughingDown samples according to the Kaspersky Threat Attribution Engine (KTAE). Analysis of the DLL reveals that it is a Core Module of multi-plugin malware developed by CoughingDown in late September 2020 and that there is indeed a significant code overlap (same RC4 key, same command numbers).
- This Core Module was configured to use the IP addresses 45.90.58[.]103 and 185.82.217[.]164 as its C2. The IP address 185.82.217[.]164 is known to be used as an EAGERBEE C2 as reported by other security vendors.
Conclusions
Malware frameworks continue to advance as threat actors develop increasingly sophisticated tools for malicious activities. Among these is EAGERBEE, a malware framework primarily designed to operate in memory. This memory-resident architecture enhances its stealth capabilities, helping it evade detection by traditional endpoint security solutions. EAGERBEE also obscures its command shell activities by injecting malicious code into legitimate processes, such as dllhost.exe, and executing it within the context of explorer.exe or the targeted user’s session. These tactics allow the malware to seamlessly integrate with normal system operations, making it significantly more challenging to identify and analyze.
In the East Asian EAGERBEE attacks, the organizations were penetrated via the ProxyLogon vulnerability. ProxyLogon remains a popular exploit method among attackers to gain unauthorized access to Exchange servers. Promptly patching this vulnerability is crucial to securing your network perimeter.
Because of the consistent creation of services on the same day via the same webshell to execute the EAGERBEE backdoor and the CoughingDown Core Module, and the C2 domain overlap between the EAGERBEE backdoor and the CoughingDown Core Module, we assess with medium confidence that the EAGERBEE backdoor is related to the CoughingDown threat group.
However, we have been unable to determine the initial infection vector or identify the group responsible for deploying the EAGERBEE backdoor in the Middle East.
IOC
Service Injector
183f73306c2d1c7266a06247cedd3ee2
EAGERBEE backdoor compressed file
9d93528e05762875cf2d160f15554f44
EAGERBEE backdoor decompress
c651412abdc9cf3105dfbafe54766c44
EAGERBEE backdoor decompress and fix
26d1adb6d0bcc65e758edaf71a8f665d
Plugin Orchestrator
cbe0cca151a6ecea47cfaa25c3b1c8a8
35ece05b5500a8fc422cec87595140a7
Domains and IPs
62.233.57[.]94
82.118.21[.]230
194.71.107[.]215
151.236.16[.]167
www.socialentertainments[.]store
www.rambiler[.]com
5.34.176[.]46
195.123.242[.]120
195.123.217[.]139
Authors
From the same authors
In the same category
EAGERBEE, with updated and novel components, targets the Middle East