- Eggstreme is a frame of stealthy and file malware used by a Chinese threat actor to attack a Philippine military company
- It includes six modular components, enabling access to reverse housing, payload injection, keylogging and persistent espionage
- The attribution remains uncertain, but the objectives of the attack are aligned with the tactics known Chinese known in APAC and beyond
A Chinese threat actor attacked a Filipina military company with a malware framework never seen before and without archiving, the researchers warned.
Earlier this week, the Bitdefender cybersecurity team published an in -depth report on Eggstreme, a “set of multiple stages that achieves low profile espionage by injecting malicious code directly into memory and taking advantage of the DLL load to execute the payload.”
IT Count Six Different Components: Eggstremefuel (Initial Loader DLL, Sideloaded via legitimate binary and establishments to reverse Shell), Eggstremeloader (Reads Encrypted Payloads and Injects Them into Process), Eggstremereflectivel Payload), Eggstremeagent (Main Backdoor implant with 58 Commands), EggstremeKeylogger (grabs the user’s keys and confidential data) and Eggstremewizard (secondary back door for redundancy).
Lateral dlls
Bitdefender tried to link the framework to the known Chinese APT players, but could not find a plausible connection, The hacker news reported. “We put a lot of effort in the attribution efforts, but could not find anything,” said Martin Zugec, director of Technical Solutions at Bitdefender, to the publication. “However, the objectives are aligned with Chinese apartments. For this, our attribution is based on interests/objectives.”
It seems that the objectives for this are the persistence of low long -term profile, something for which Chinese actors are known, not only in the Philippines, but in other parts of the region (Vietnam, Taiwan and other neighboring countries), as in the world.
Salt Typhoon is perhaps the most documented Chinese apartment, and was recently caught in numerous telecommunications service providers companies in the United States.
The Eggstreme malware frame is delivered through a DLL file loaded with lateral. This file was activated using trusted executables, which allows you to avoid security controls. However, the way in which the DLL file dropped into the victim’s device first, is still unknown.
The usual methods include the supply chain commitment, the implementation of the DLL manually (through the access previously obtained), or by means of transmission and lateral movement.
Through The hacker news
