Introduction
In our recent investigation into the EAGERBEE backdoor, we found that it was being deployed at ISPs and governmental entities in the Middle East. Our analysis uncovered new components used in these attacks, including a novel service injector designed to inject the backdoor into a running service. Additionally, we discovered previously undocumented components (plugins) deployed after the backdoor’s installation. These enabled a range of malicious activities such as deploying additional payloads, exploring file systems, executing command shells and more. The key plugins can be categorized in terms of their functionality into the following groups: Plugin Orchestrator, File System Manipulation, Remote Access Manager, Process Exploration, Network Connection Listing and Service Management.
In this blog, we provide a detailed analysis of the EAGERBEE backdoor’s capabilities, focusing on the service injector, Plugin Orchestrator module and associated plugins. We also explore potential connections of the EAGERBEE backdoor with the CoughingDown threat group.
Initial infection and spread
Unfortunately, the initial access vector used by the attackers remains unclear. However, we observed them executing commands to deploy the backdoor injector named “tsvipsrv.dll” along with the payload file ntusers0.dat, using the SessionEnv service to run the injector, as can be seen below.
//change the creation, last access and write time, timestamp of the file to "1/8/2019 9:57"attrib.exe -s -h -a C:userspublic
tusers0.dat
powershell.exe -Command "='1/8/2019 9:57'; = 'C:userspublic
tusers0.dat';(Get-Item
).creationtime = ;(Get-Item ).lastaccesstime = ;(Get-Item ).lastwritetime = "
//set the attributes of the file (EAGERBEE backdoor) to archive (+a), system file (+s) and
//hidden (+h)
attrib.exe +s +h +a C:userspublic
tusers0.dat
//set the attributes of the file (loader) to archive (+a), system file (+s ..
Support the originator by clicking the read the rest link below.
