Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the thegem domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/j8p72agj2cgw/fanaticalfuturist.com/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-2fa domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/j8p72agj2cgw/fanaticalfuturist.com/wp-includes/functions.php on line 6121
Fileless Malware seen in the wild again as actors attack the Phillipines military – Matthew Griffin | Keynote Speaker & Master Futurist
Scroll Top

Fileless Malware seen in the wild again as actors attack the Phillipines military

WHY THIS MATTERS IN BRIEF

Fileless malware is very difficult to detect and harder to stop, and its use is increasing.

 

Love the Exponential Future? Join our XPotential Community, future proof yourself with courses from XPotential University, read about exponential tech and trendsconnect, watch a keynote, or browse my blog.

An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme.

 

RELATED
Researchers create noisy neural networks to foil AI adversarial attacks

 

“This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads,” Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News.

“The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.”

 

The Future of Cyber Security, by Keynote Matthew Griffin

 

The targeting of the Philippines is something of a recurring pattern for Chinese state-sponsored hacking groups, particularly in light of geopolitical tensions fuelled by territorial disputes in the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei.

 

RELATED
China to spend $500 Billion by 2020 to build new high speed rail links

 

That said, the latest activity has not been attributed to any known Chinese hacking group. “We put quite a lot of effort into attribution efforts, but couldn’t find anything,” said Martin Zugec, technical solutions director at Bitdefender. “However, objectives align with Chinese APTs. For this one, our attribution is based on interests/objectives.”

The Romanian cybersecurity vendor, which first detected signs of malicious activity in early 2024, described EggStreme as a tightly integrated set of malicious components that’s engineered to establish a “resilient foothold” on infected machines. The exact initial access vector used in the attack remains unknown at this stage.

The starting point of the multi-stage operation is a payload called EggStremeFuel (“mscorsvc.dll”) that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent.

 

RELATED
China's 100 lane optical chip smashes records to hit 2560 TOPS at 50Ghz

 

EggStremeFuel’s functions are realized by opening an active communication channel with a command-and-control (C2), enabling it to –

  • Get drive information
  • Start cmd.exe and establish communication via pipes
  • Gracefully close all connections and shutdown
  • Read a file from server and save it to disk
  • Read a local file from a given path and transmit its content
  • Send the external IP address by making a request to myexternalip[.]com/raw
  • Dump the in-memory configuration to disk

Calling EggStremeAgent the “central nervous system” of the framework, the backdoor works by monitoring new user sessions and injects a keylogger component dubbed EggStremeKeylogger for each session to harvest keystrokes and other sensitive data. It communicates with a C2 server using the Google Remote Procedure Call (gRPC) protocol.

 

RELATED
Hackers warn of new Zero Click attacks against Gen AI apps

 

It supports an impressive 58 commands that enable a broad range of capabilities to facilitate local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data exfiltration, and payload injection, including an auxiliary implant codenamed EggStremeWizard (“xwizards.dll”).

“The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain,” Zavadovschi noted.

“This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience and ensuring that communication with the attacker can be maintained even if one C2 server is taken offline.”

 

RELATED
AI employees with memories and company IDs are coming

 

The activity is also characterized by the use of the Stowaway proxy utility to establish an internal network foothold. Complicating detection further is the fileless malware nature of the framework, causing malicious code to be loaded and executed directly in memory without leaving any traces on disk.

“This, coupled with the heavy use of DLL side-loading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat,” Bitdefender said.

“The EggStreme malware family is a highly sophisticated and multi-component threat designed to achieve persistent access, lateral movement, and data exfiltration. The threat actor demonstrates an advanced understanding of modern defensive techniques by employing a variety of tactics to evade detection.”

Related Posts

Leave a comment

Pin It on Pinterest

Share This