Hot on the heels of the re-emergence of a more advanced NonEuclid RAT variant in the cyber threat arena, a novel malware iteration known as the Eagerbee backdoor poses an increasing threat to organizations in the Middle East, primarily targeting Internet Service Providers (ISPs) and state agencies. The enhanced EAGERBEE backdoor variant can deploy payloads, scan file systems, and execute command shells, displaying significant evolution of its offensive capabilities.
Detect EAGERBEE Malware Infections
In 2024, cyberattacks surged globally, with organizations experiencing an average of 1,308 attacks per week. Additionally, the variety of malware variants and attack techniques continues to grow, with researchers recording a 30% increase in global malware volume compared to 2023. As the attack surface expands and infiltration methods become more sophisticated, proactively detecting potential intrusions has become an increasingly difficult challenge.
To help cyber defenders spot the intrusion at the earliest stages, SOC Prime Platform for collective cyber defense offers a world’s largest collection of detection algorithms on emerging threats backed by an advanced toolset for threat detection and hunting.
Hit the Explore Detections button below to access a curated set of Sigma rules addressing EAGERBEE infections. All the rules are mapped to the MITRE ATT&CK framework and compatible with 30+ SIEM, EDR, and Data Lake solutions. Additionally, detections are enriched with detailed metadata, including CTI references, attack timelines, audit configurations, and more.
Security engineers can also leverage Uncoder AI to streamline the IOC packaging and retrospective analysis of adversaries’ TTPs seen in EAGERBEE attacks. Instantly convert IOCs into tailored queries compatible with various SIEM, EDR, and Data Lake languages.
EAGERBEE Malware Analysis
Cybersecurity researchers uncovered a new iteration of the EAGERBEE malware framework, which has been leveraged by attackers to target ISPs and government bodies in the Middle East. The latest version of EAGERBEE (aka Thumtais) backdoor features more sophisticated capabilities, such as a service injector for backdoor deployment and plugins for payload delivery, file access, and remote control, which marks a notable advancement.
The use of the most recent malware iteration is attributed with medium confidence to a hacking group tracked as CoughingDown. EAGERBEE was initially identified by Elastic Security Labs, linked to a state-sponsored cyber-espionage group known as REF5961. It was observed in cyber-espionage attacks against Southeast Asian government agencies and linked to the Chinese nation-backed hacking collective, which Sophos tracked as “Crimson Palace.” EAGERBEE was also deployed in multiple organizations in East Asia, with two of them compromised through the nefarious ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers. After the breach, malicious webshells were uploaded and used to execute commands on the affected servers.
In the latest offensive operation weaponizing EAGERBEE, an injector DLL launches the backdoor to collect system data and exfiltrate it to a remote server via a TCP socket. Still, the exact entry point remains unclear. The server then responds with a Plugin Orchestrator that reports system data and manages running processes. It also injects, unloads, and manages plugins that execute commands for file operations, process management, remote connections, and system services.
EAGERBEE constantly adapts to strengthen its stealth, allowing it to evade traditional security measures. By embedding malicious code into legitimate processes, it keeps its common shell activities under the radar, making detection more challenging. The malware’s ongoing evolution emphasizes the critical need for enhanced cybersecurity awareness and proactive defense. SOC Prime Platform for collective cyber defense equips organizations across multiple industry vectors and individual researchers with cutting-edge solutions to outscale cyber threads, including emerging malware variants and highly increasing APT attacks.
The post EAGERBEE Malware Detection: New Backdoor Variant Targets Internet Service Providers and State Bodies in the Middle East appeared first on SOC Prime.
