An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme.
“This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads,” Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News.
“The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.”
The targeting of the Philippines is something of a recurring pattern for Chinese state-sponsored hacking groups, particularly in light of geopolitical tensions fueled by territorial disputes in the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei.
The Romanian cybersecurity vendor, which first detected signs of malicious activity in early 2024, described EggStreme as a tightly integrated set of malicious components that’s engineered to establish a “resilient foothold” on infected machines.
The starting point of the multi-stage operation is a payload called EggStremeFuel (“mscorsvc.dll”) that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent.
EggStremeFuel’s functions are realized by opening an active communication channel with a command-and-control (C2), enabling it to –
- Get drive information
- Start cmd.exe and establish communication via pipes
- Gracefully close all connections and shutdown
- Read a file from server and save it to disk
- Read a local file from a given path and transmit its content
- Send the external IP address by making a request to myexternalip[.]com/raw
- Dump the in-memory configuration to disk
Calling EggStremeAgent the “central nervous system” of the framework, the backdoor works by monitoring new user sessions and injects a keylogger component dubbed EggStremeKeylogger for each session to harvest keystrokes and other sensitive data. It communicates with a C2 server using the Google Remote Procedure Call (gRPC) protocol.
It supports an impressive 58 commands that enable a broad range of capabilities to facilitate local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data exfiltration, and payload injection, including an auxiliary implant codenamed EggStremeWizard (“xwizards.dll”).
“The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain,” Zavadovschi noted.
“This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
