EAGERBEE, with updated and novel components, targets the Middle East
Jan. 6, 2025, 9:39 p.m.
Tags
External References
Description
The EAGERBEE backdoor, deployed at ISPs and governmental entities in the Middle East, has been analyzed to reveal new components and capabilities. The malware uses a novel service injector to inject the backdoor into running services, and employs several plugins for various malicious activities. The initial infection vector remains unclear, but some organizations were breached via the ProxyLogon vulnerability. The analysis uncovered potential links between EAGERBEE and the CoughingDown threat group, including code similarities and overlapping command and control infrastructure. The malware's memory-resident architecture and ability to inject code into legitimate processes enhance its stealth capabilities, making detection challenging.
Date
Published: Jan. 6, 2025, 9:27 p.m.
Created: Jan. 6, 2025, 9:27 p.m.
Modified: Jan. 6, 2025, 9:39 p.m.
Indicators
5.34.176.46
195.123.242.120
151.236.16.167
82.118.21.230
194.71.107.215
62.233.57.94
www.rambiler.com
www.socialentertainments.store
Attack Patterns
EAGERBEE
CoughingDown
T1078.001
T1505.003
T1569.002
T1021.001
T1543.003
T1136
T1016
T1082
T1057
T1083
T1055
T1033
T1049
T1003