A complicated persistent risk (APT) group from China has been attributed to the compromise of a Philippines-based navy firm utilizing a beforehand undocumented fileless malware framework known as EggStreme.
“This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code straight into reminiscence and leveraging DLL sideloading to execute payloads,” Bitdefender researcher Bogdan Zavadovschi mentioned in a report shared with The Hacker Information.
“The core part, EggStremeAgent, is a full-featured backdoor that allows in depth system reconnaissance, lateral motion, and knowledge theft by way of an injected keylogger.”
The concentrating on of the Philippines is one thing of a recurring sample for Chinese language state-sponsored hacking teams, significantly in mild of geopolitical tensions fueled by territorial disputes within the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei.
The Romanian cybersecurity vendor, which first detected indicators of malicious exercise in early 2024, described EggStreme as a tightly built-in set of malicious parts that is engineered to determine a “resilient foothold” on contaminated machines.
The place to begin of the multi-stage operation is a payload known as EggStremeFuel (“mscorsvc.dll”) that conducts system profiling and deploys EggStremeLoader to arrange persistence after which executes EggStremeReflectiveLoader, which, in flip, triggers EggStremeAgent.
EggStremeFuel’s capabilities are realized by opening an energetic communication channel with a command-and-control (C2), enabling it to –
- Get drive info
- Begin cmd.exe and set up communication by way of pipes
- Gracefully shut all connections and shutdown
- Learn a file from server and reserve it to disk
- Learn an area file from a given path and transmit its content material
- Ship the exterior IP handle by making a request to myexternalip[.]com/uncooked
- Dump the in-memory configuration to disk
Calling EggStremeAgent the “central nervous system” of the framework, the backdoor works by monitoring new person periods and injects a keylogger part dubbed EggStremeKeylogger for every session to reap keystrokes and different delicate knowledge. It communicates with a C2 server utilizing the Google Distant Process Name (gRPC) protocol.
It helps a powerful 58 instructions that allow a broad vary of capabilities to facilitate native and community discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral motion, knowledge exfiltration, and payload injection, together with an auxiliary implant codenamed EggStremeWizard (“xwizards.dll”).
“The attackers use this to launch a legit binary that sideloads the malicious DLL, a way they constantly abuse all through the assault chain,” Zavadovschi famous.
“This secondary backdoor supplies reverse shell entry and file add/obtain capabilities. Its design additionally incorporates an inventory of a number of C2 servers, enhancing its resilience and guaranteeing that communication with the attacker may be maintained even when one C2 server is taken offline.”
The exercise can be characterised by way of the Stowaway proxy utility to determine an inside community foothold. Complicating detection additional is the fileless nature of the framework, inflicting malicious code to be loaded and executed straight in reminiscence with out leaving any traces on disk.
“This, coupled with the heavy use of DLL side-loading and the delicate, multi-stage execution circulation, permits the framework to function with a low profile, making it a big and protracted risk,” Bitdefender mentioned.
“The EggStreme malware household is a extremely refined and multi-component risk designed to attain persistent entry, lateral motion, and knowledge exfiltration. The risk actor demonstrates a complicated understanding of recent defensive methods by using a wide range of ways to evade detection.”
