A new variant of the EAGERBEE backdoor targets ISPs and governments in the Middle East

A new variant of EAGERBEE is currently in active operation, targeting Internet service providers and government entities in the Middle East. EAGERBEE is a backdoor used in espionage campaigns.

Exploitation of an old critical vulnerability dating back to 2021

Although the initial attack vector is unclear, EAGERBEE was found to exploit the ProxyLogon vulnerability (CVE-2021-26855), which was massively exploited in 2021. As a reminder, ProxyLogon is a critical vulnerability affecting Microsoft Exchange Server, exploited to bypass authentication and remotely execute arbitrary code.

The current EAGERBEE activity confirms that more than three (3) years after its disclosure, the major ProxyLogon vulnerability has still not been patched in certain sensitive or mission-critical organizations.

Spying

The malicious activity observed seems to indicate espionage objectives, as has been the case with previous operations. EAGERBEE is often associated with Chinese malicious actors.

Note that once the victim machine is infected, EAGERBEE is used to collect system information (machine name, memory usage, time zone, running processes, etc.) and exfiltrate it to a remote command and control (C&C) server with which a persistent connection is established. The target then waits for instructions from the C&C.

The initial information gathered by EAGERBEE undoubtedly enables the malicious actor controlling it to confirm its target before moving on to the active post-exploitation phase.

Indicators of compromise (IOC)

The IOCs associated with this attack are as follows:

• Hash MD5: 183f73306c2d1c7266a06247cedd3ee2
• Hash MD5 `9d93528e05762875cf2d160f15554f44
• Hash MD5: c651412abdc9cf3105dfbafe54766c44
• Hash MD5 26d1adb6d0bcc65e758edaf71a8f665d
• Hash MD5 35ece05b5500a8fc422cec87595140a7
• IP: 62.233.57.94
• IP: 82.118.21.230
• IP: 194.71.107.215
• IP: 151.236.16.167
• IP: 5.34.176.46
• IP: 195.123.242.120
• Domain: www.socialentertainments.store
• Domain: www.rambiler.com

The list may evolve as we learn more about this series of attacks.

No attacks observed in North America

For the moment, EAGERBEE's perimeter of action appears to be the Middle East.

No exploits appear to have targeted North America as yet. However, given the current geopolitical situation, and the fact that a known critical vulnerability is being exploited, we strongly recommend that organizations and governments take steps to protect themselves against this backdoor.

Recommendations

• Apply the patches for the ProxyLogon (CVE-2021-26855) vulnerability. It's urgent.
• Block or monitor activities associated with the IOCs listed below.

What Streamscan is doing to protect its MDR customers

• The IOCs associated with this series of attacks have been injected into our CDS technology, which monitors your network.
• We remain vigilant in monitoring your network
• We will continue to monitor the situation and keep you informed if necessary.

Need help improving your cybersecurity? Talk to one of our experts or call us at +1 877 208-9040.