Stealthy Backdoor Eagerbee Malware Ensures Time-Sensitive Execution

Potential ties have been identified between the Eagerbee malware and the CoughingDown threat group, as tracked by Kaspersky researchers, based on shared network infrastructure. Kaspersky explained, “Because of the consistent creation of services on the same day via the same webshell to execute the Eagerbee backdoor and the CoughingDown Core Module, and the C2 domain overlap between the Eagerbee backdoor and the CoughingDown Core Module, we assess with medium confidence that the Eagerbee backdoor is related to the CoughingDown threat group.” The malware has been observed targeting organizations in the Middle East, East Asia, and Japan, with impacts on government and telecommunications sectors. Some breaches have also been linked to the ProxyLogon vulnerability (CVE-2021-26855), enabling attackers to upload webshells for initial access.

Eagerbee employs mechanisms designed to evade detection. While the initial attack vector remains undetermined from Kaspersky’s recent investigation, subsequent malicious activities indicate reliance on legitimate system processes. Key activities include the placement of files in suspicious directories, such as "system32\tsvipsrv.dll" and "C:\users\public\ntusers0.dat," with timestamps modified via PowerShell to '1/8/2019 9:57.' The malware utilizes a service injector - “tsvipsrv.dll” to write the payload bytes into memory and decompress them using a stub code, enabling injection into legitimate service processes. Evasive actions involve using “attrib.exe” to hide files, reconfiguring the “sessionenv,” “IKEEXT,” and “MSDTC” services with "net.exe" commands, and leveraging admin shares (C$) for lateral movement when supplied with valid user credentials. The malware utilizes DLL hijacking for execution, relying on the placement of a malicious library in the system32 directory. Additionally, the malware incorporates a time-and-date execution check, as noted by Kaspersky: "The backdoor has an execution day and time check. It compares the current system day and hour to the hardcoded string 0-6:00:23;6:00:23." Observed configurations indicate the malware operates continuously in many attacks.

Following deployment, the Eagerbee backdoor gathers detailed system and network information, including IP configurations, OS details, and user accounts. Reconnaissance commands include listing user groups (“net localgroup administrators”), querying domain structures (“dsquery”), and using “rar.exe” to archive and exfiltrate data from shared resources. Remote access is facilitated by injecting “cmd.exe” into legitimate processes like “DllHost.exe,” enabling attackers to execute commands within a trusted context. The backdoor establishes communication with the command-and-control (C2) server over TCP/SSL channels, downloading and executing additional plugins managed by a plugin orchestrator - “ssss.dll”. These plugins enable file system operations, process enumeration, remote access, service control, and network monitoring, making Eagerbee a versatile tool for sustained access and data exfiltration.

Kaspersky’s investigation revealed overlaps between Eagerbee and previously documented CoughingDown malware. Shared IP addresses, code similarities, and identical operational tactics strongly suggest a link between the two. With its memory-resident architecture, plugin-based modularity, and deployment against organizations globally, Eagerbee poses a persistent and concerning threat.