The Advanced Persistent Threat (APT) group from China is attributed to a compromise by a Philippines-based military company using a previously undocumented fies-less malware framework called Eggstreme.
“This multi-stage toolset delivers sustained and modest espionage by injecting malicious code directly into memory and leveraging DLL sideloads to execute payloads,” Bitdefender researcher Bogdan Zavadovschi said in a report shared with Hacker News.
“The core component, the Egg Stremy-grade, is a full-featured backdoor that allows for extensive system reconnaissance, lateral movement, and data theft through injected keyloggers.”
The targeting of the Philippines is like a recurring pattern of Chinese state-sponsored hacking groups in light of geopolitical tensions driven by the South China Sea territorial disputes between China, Vietnam, the Philippines, Taiwan, Malaysia and Brunei.
However, the latest activity is not attributed to known Chinese hacking groups. “We put a considerable amount of effort into our belonging efforts, but we couldn’t find anything,” Martin Zugec, director of technical solutions at Bitdefender, told Hacker News. “However, the objective is consistent with the appropriate one in China. In this regard, our attribution is based on interest/purpose.”
Romanian cybersecurity vendors, which first detected signs of malicious activity in early 2024, described the egg stream as a closely integrated set of malicious components designed to establish a “resilient scaffolding” for infected machines.
The starting point for multi-stage operations is a payload called eggstremefuel (“mscorsvc.dll”), which performs system profiling, deploys the eggs stremeloader to set sustainability, runs the eggs streme loader, and deploys the eggs streme loader that runs the eggs streme senste.
Eggstremefuel’s functionality is achieved by opening active communication channels in Command and Control (C2) and making it possible –
Start CMD.exe to retrieve drive info, establish communication through a pipe to gracefully close all connections, read files from the server, save them to disk, read local files from a specific path, send content and send external IP address by making a request to MyExternAlip[.]com/raw Dump in-memory configuration to disk
Calling Eggstremeagent the framework’s “CNS” backdoors monitor new user sessions and inject each session with a KeyLogger component called EggstremekeyLogger to harvest keystrokes and other sensitive data. It communicates with the C2 server using the Google Remote Procedure Call (GRPC) protocol.
It supports impressive 58 commands including the auxiliary Implant Kounums Bat Egg Stremigers (“xwizards.dll”) by enabling a wide range of functions and facilitating local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data removal, and payload injection.
“Attackers use this to launch legal binaries that sideload malicious dlls, which is a technique that is consistently exploited across the attack chain,” Zabadowski pointed out.
“This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers to increase resilience and to maintain communication with the attacker even when a single C2 server is filmed offline.”
This activity is also characterized by using a storeway proxy utility to establish a foothold for the internal network. More complex detection is the clever nature of the framework, loading and executing malicious code directly into memory without leaving traces on disk.
“This, coupled with the heavy use of DLL sideloads and sophisticated multi-stage execution flows, makes the framework work inconspicuous and a critical and lasting threat,” Bitdefender said.
“The Eggstreme Malware family is a highly refined, multicomponent threat designed to achieve sustained access, lateral movement, and data removal. Threat actors demonstrate a sophisticated understanding of modern defense techniques by employing a variety of tactics to avoid detection.”
(The story was updated after publication to include additional insights from BitDefender.)
Source link
