Eagerbee Backdoor - A major threat to government units and Internet service providers in the Middle East
Overview
In January 2025, Kaspersky researchers recorded a new variant of the Eagerbee Backdoor being used in attacks targeting Internet Service Providers (ISPs) and government organizations in the Middle East.
The new variant of EAGERBEE is equipped with various components that allow the Backdoor to deploy payload injections, list system information, and execute shell commands, etc. The initial access method has not been identified yet, but this campaign is based on injecting payloads, tsvipsrd.dll, and payload ntusers0.dat through the SessionEnv service.
Key Findings
The nature of the Eagerbee backdoor is a type of malware designed to allow attackers to access and control a system without the user's permission or standard security measures. The Eagerbee backdoor can be used to collect sensitive data, install other malicious software, or carry out harmful actions without the user's knowledge.
The Eagerbee backdoor operates by creating a backdoor in the infected system. The initial intrusion method was identified as related to the ProxyLogon vulnerability (CVE-2021-26855) on Microsoft Exchange Server.
After the EagerBee backdoor enters the victim's system, there are five main activities recorded according to Kaspersky reports:
Initial infection
Installing the backdoor
Connecting to the control server
Performing malicious actions
Hiding itself
Attack Flow
Initially, the attacker will deploy commands to insert a backdoor called "tsvipsrv.dll." The attacker will hide and modify the attributes of the files while exploiting the DLL hijacking vulnerability to execute the malware.
First, the attacker will change the creation, access, and last modified times of the file "ntuser0.dat" to "1/8/2019 9:57," possibly to make the file appear older and avoid detection by security monitors.
After changing the time of the "ntuser0.dat" file, the attacker uses "attrib.exe" to change the file's attributes.
attrib.exe -s -h -a C:\users\public\ntusers0.dat
attrib.exe +s +h +a C:\users\public\ntusers0.dat
attrib.exe +s +h +a system32\tsvipsrv.dll
\=> These commands aim to convert the "ntuser0.dat" and "tsvipsrv.dll" files into system, hidden, and archive files, making them harder to detect.
After making the changes to the file attributes, the attacker begins configuring and restarting the "sessionenv" service.
net.exe stop sessionenv
cmd.exe /c "sc config sessionenv Start= auto"
net.exe start sessionenv
\=> This may be intended to stop or reconfigure the service to support execution.mã độc.
Finally, the attacker makes network connections and manipulates remote files. The malicious file related to the DLL hijacking vulnerability is tsvipsrv.dll. Once the victim's machine is infected, EAGERBEE is used to gather system information (such as machine name, memory usage, time zone, running processes, etc.) and filter that information to the C&C server to carry out malicious exploits.
In addition to the malicious backdoor file "tsvipsrv.dll," the attacker also uses a series of other malicious .dll files and plugins, such as:
dllloader1x64.dll: Aims to collect NetBIOS information of the victim's machine, operating system information, and lists of IPv4 and IPv6 addresses.
DllMain: Aims to list drives, files in the system, or inject malicious payloads into memory.
According to Kaspersky's report, the attacker also launches shell commands by injecting cmd.exe into the DllHost.exe process to exploit and illegally infiltrate the system.
\=> The above commands aim to
List users and administrator groups
Query system and account information
Connect to shared resources using stolen credentials
Store the obtained information
In particular, the ProxyLogon vulnerability (CVE-2021-26855) in the Exchange server was exploited, and then malicious webshells were uploaded and used to execute commands on compromised servers. The attackers abused legitimate Windows services MSDTC, IKEEXT, and SessionEnv to execute malicious DLL files: oci.dll, wlbsctrl.dll, and TSVIPSrv.dll, respectively.
List of Recorded IOCs
Hash Code:
183f73306c2d1c7266a06247cedd3ee2
9d93528e05762875cf2d160f15554f44
c651412abdc9cf3105dfbafe54766c44
26d1adb6d0bcc65e758edaf71a8f665d
cbe0cca151a6ecea47cfaa25c3b1c8a8
35ece05b5500a8fc422cec87595140a7
Malicious Domains and IPs:
62.233.57[.]94
82.118.21[.]230
194.71.107[.]215
151.236.16[.]167
www.socialentertainments[.]store
www.rambiler[.]com
5.34.176[.]46
195.123.242[.]120
195.123.217[.]139
Recommendation
Update the system: Ensure all systems and software, especially Microsoft Exchange Server, are updated with the latest security patches to prevent exploitation of vulnerabilities like ProxyLogon.
Network monitoring: Use monitoring tools to detect unusual activities in the system, especially connections to unknown servers.
Behavior analysis: Implement behavior-based security solutions to detect suspicious activities, such as code injection into legitimate processes.
Employee training: Increase cybersecurity awareness among employees to minimize the risk of phishing and other social engineering attacks.
Conclusion
Malware samples are becoming more advanced as threat actors develop increasingly sophisticated tools for malicious activities. Among them is EAGERBEE, a malware designed primarily to operate in memory. EAGERBEE also hides its shell command activities by injecting malicious code into legitimate processes, such as dllhost.exe, and executing it.
In EAGERBEE attacks in East Asia, organizations were compromised through the ProxyLogon vulnerability. ProxyLogon remains a common exploitation method for attackers to gain unauthorized access to Exchange servers. Timely patching of this vulnerability is crucial for protecting users' networks.
