- Eggstreme is a stealth
- It includes six modular components that enable reverse shell access, injection of payload, keylogging and sustained espionage
- Attribution remains uncertain but the attack’s target is in line with known Chinese APT tactics over APAC and beyond
A Chinese threat actor attacked a Philippine military company with a never-seen, Fillous Malware framework, scientists warned.
Earlier this week, CyberSecurity Outfit Bitdefender published an in-depth report on Eggstreme, a “multiple steps that achieve low-profile espionage by injecting malicious code directly into memory and utilizing DLL side load to perform payload.”
It counts six different components: Eggstremefuel (preliminary loader dll, sidlet via a legitimate binary and establishes a reverse shell), egg stream (reader encrypted users and injects them into processes), eggstremereflective eloads (decrypts and injects the final salary load), egg streams in processes (Mainfrant with 58 Commands and violates the final salary load), egg stream eggstremekeylogger (grabs keystrokes and sensitive user data) and eggstremewizard (secondary back door for redundancy).
Sideloading of DLLs
Bitdefender tried to associate the framework of well -known Chinese APT players but could not find a plausible connection, Hacker the news reported. “We put a lot of effort into attribution efforts, but couldn’t find anything,” Martin Zugeec, director of technical solutions at Bitdefender told the publication. “However, the goals are in accordance with Chinese apts. For this, our attribution is based on interests/goals.”
The goals of this one seem to be cyber-espionage, reconnaissance and long-term, low-profile persistence, somewhat Chinese actors are known only in the Philippines, but elsewhere in the region (Vietnam, Taiwan and other neighboring countries) as well as around the world.
Salt Typhoon is perhaps the most documented Chinese apt out there, and it was recently caught in several telecommunications providers in the United States.
The Eggstreme Malware frame is supplied via a side-loaded DLL file. This file was enabled using reliable executable files so it can bypass security check. But how the DLL file was falling on the victim’s device in the first place remains unknown.
Ordinary methods include compromise of the supply chain, implementation of DLL manually (via previously gained access) or through the drive-by-comprois and lateral movement.
Via Hacker the news
