EAGERBEE Malware
A newly updated version of the EAGERBEE malware framework has been observed targeting Internet Service Providers (ISPs) and government organizations in the Middle East.
This latest iteration, also known as Thumtais, includes a range of components that enable it to deploy additional payloads, explore file systems, and execute command shells. These enhancements mark a significant advancement in its capabilities.
Table of Contents
Modular Design and Functional Categories
The backdoor relies on key plugins, which can be grouped based on their functions: Plugin Orchestrator, File System Manipulation, Remote Access Manager, Process Exploration, Network Connection Listing and Service Management. Cybersecurity researchers have linked EAGERBEE with medium confidence to a threat group known as CoughingDown.
Initially, EAGERBEE was associated with a state-sponsored cyber-espionage group designated REF5961. This backdoor, though technically straightforward, supports both forward and reverse command-and-control channels with SSL encryption. It is primarily designed for system reconnaissance and to facilitate the delivery of additional executables for post-exploitation activities.
Espionage Operations and Connections to Cluster Alpha
Later investigations revealed that a modified version of EAGERBEE was deployed in cyber espionage campaigns attributed to a Chinese state-affiliated threat actor known as Cluster Alpha. This operation codenamed Crimson Palace, aimed to extract sensitive political and military intelligence from a high-profile government agency in Southeast Asia.
Cluster Alpha exhibits overlaps with other cyber-espionage groups, including BackdoorDiplomacy, REF5961, Worok and TA428. Notably, BackdoorDiplomacy shares tactical characteristics with CloudComputating (also called Faking Dragon), a Chinese-speaking entity linked to a modular malware framework known as QSC. This framework has been observed in cyberattacks against the telecom sector in South Asia.
In-Memory Execution and Stealth Capabilities
QSC follows a modular architecture in which only the initial loader is stored on disk, while core and network components remain in memory. This approach allows attackers to load plugins based on their objectives dynamically.
In the most recent EAGERBEE intrusions, an injector DLL executes the backdoor module. Once activated, the backdoor gathers system details and transmits them to a remote server via a TCP socket. The specific method used to gain initial access in these incidents remains unclear.
The remote server responds by deploying the Plugin Orchestrator, which retrieves and reports system details such as domain NetBIOS names, memory usage statistics, and system locale settings. It also collects data on running processes while awaiting further instructions, including:
- Injecting plugins into memory
- Unloading specific plugins or clearing all from the list
- Verifying whether a plugin is active
Each plugin executes commands from the orchestrator, handling file management, process control, remote connectivity, system service oversight, and network connection monitoring.
Exploiting Vulnerabilities and Persistent Threats
Researchers have identified EAGERBEE infections across multiple organizations in East Asia, with at least two breaches linked to the ProxyLogon vulnerability (CVE-2021-26855). In these cases, attackers deployed web shells to execute commands on compromised servers, ultimately leading to the installation of the backdoor.
EAGERBEE operates primarily as a memory-resident framework, a design that significantly enhances its ability to evade detection by conventional security tools. By injecting unsafe code into legitimate processes, it conceals its command shell activities, seamlessly blending with normal system functions and complicating efforts to detect and analyze its behavior.