Security Intelligence
Loading table of contents...
Security researchers have observed a recent campaign in which Internet Service Providers (ISP) and government institutions in the Middle East and East Asia have been targeted with a fresh version of the ‘Eagerbee’ malware framework.
The updated Eagerbee backdoor is now capable of enumerating file systems, executing command shells, and deploying additional payloads. It can also harvest details about running processes and deploy further plugins that facilitate the execution of commands.
Since Eagerbee is primarily designed to run in memory, it’s a stealthy backdoor that often evades traditional anti-virus software. Eagerbee also disguises its activity by injecting it into legitimate processes, further minimizing the chances of it being detected.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
At least two of the Eagerbee backdoor deployments were a result of the threat actor exploiting CVE-2021-26855, a ProxyLogon vulnerability, to drop web shells that were subsequently used to install the backdoor. It’s unclear what attack vector was used for the remaining Eagerbee compromises.
The researchers believe with ‘medium’ confidence that the Eagerbee backdoor campaign was carried out by a group named CoughingDown.
Source: The Hacker News
Analysis
CoughingDown is a cyber espionage group associated with China, also known as TA428. The group has been active since at least 2013 and is known for targeting East Asian government agencies, employing spear-phishing emails with malicious attachments to gain initial access to systems of interest.
Given that CoughingDown was previously only associated with attacks on targets based in East Asia, it appears the group has now expanded its territory to include the Middle East. However, the targeting of ISPs was the calling card of Chinese state-sponsored cyber actors in 2024, and will likely continue in 2025.
Western ISPs and telecommunications service providers (TSP) were heavily targeted by PRC-backed groups, including Salt Typhoon who potentially was able to obtain metadata associated with the communication habits of millions of the compromised providers’ customers.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including groups sponsored by China. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
