EAGERBEE

Two of these organizations were breached via the infamous ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers, after which malicious webshells were uploaded and utilized to execute commands on the breached servers.

0x1D (29) Start the command shell (cmd.exe). The module can also run cmd.exe by injecting its code into the process C:\Windows\System32\dllhost.exe. Read data from the command shell and send it to the C2 server.

c:\programdata\microsoft\vmware\vmnat\vmtools\instsrv.exe vmnattools c:\programdata\microsoft\vmware\vmnat\vmtools\srvany.exe

MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component... The Crimson Palace campaign included over 15 distinct DLL sideloading scenarios... Cluster Alpha activity included multiple sideloading attempts to deploy various malware... Cluster Bravo used renamed versions of a signed side-loadable binary (mscorsvw.exe) to obfuscate backdoor deployment.

The attackers abused the legitimate Windows services MSDTC, IKEEXT and SessionEnv to execute malicious DLLs: oci.dll, wlbsctrl.dll and TSVIPSrv.dll, respectively.

The attacker created two DLLs (swprvs.dll and appmgmt.dll) and replaced the legitimate Shadow Copy Provider Service and Application Management Service DLL paths in the registry.

It uses a known technique to try to crash EDR processes, by creating a Registry key named SophosFileScanner.exe in the path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Two of these organizations were breached via the infamous ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers, after which malicious webshells were uploaded and utilized to execute commands on the breached servers.

Service Manager This plugin manages system services, including installing, starting, stopping, deleting and listing them.

Persistence is configured using a Registry Run Key.

Upon establishing a connection to C2, The malware downloads executable files from C2... then extracts the entry point and modifies memory protections to allow execution using the VirtualProtect API. Payload execution in the same process

the registry key additions gave the infected service additional unauthorized privileges. Specifically, the actor invoked a series of token privileges, including SeBackupPrivilege, SeRestorePrivilege, and SeTakeOwnershipPrivilege ... Another invoked privilege was SeTcbPrivilege

Service Manager This plugin manages system services, including installing, starting, stopping, deleting and listing them.

Persistence is configured using a Registry Run Key.

The malware's C2 addresses are either hardcoded values or stored in an XOR-encrypted file named c:\users\public\iconcache.mui . This file is decrypted using the first character as the decryption key.

When we found the backdoor in the infected system, it was named dllloader1x64.dll.

Upon establishing a connection to C2, The malware downloads executable files from C2... then extracts the entry point and modifies memory protections to allow execution using the VirtualProtect API. Payload execution in the same process

change the creation, last access and write time, timestamp of the file to "1/8/2019 9:57"

the registry key additions gave the infected service additional unauthorized privileges. Specifically, the actor invoked a series of token privileges, including SeBackupPrivilege, SeRestorePrivilege, and SeTakeOwnershipPrivilege ... Another invoked privilege was SeTcbPrivilege

the HUI loader (msedge_elf.dll), which de-obfuscated the file log.ini to reveal a Cobalt Strike reflective Loader

attrib . exe + s + h + a C : \ users \ public \ ntusers0 . dat ... attrib . exe + s + h + a system32 \ tsvipsrv . dll

MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component... The Crimson Palace campaign included over 15 distinct DLL sideloading scenarios... Cluster Alpha activity included multiple sideloading attempts to deploy various malware... Cluster Bravo used renamed versions of a signed side-loadable binary (mscorsvw.exe) to obfuscate backdoor deployment.

The attackers abused the legitimate Windows services MSDTC, IKEEXT and SessionEnv to execute malicious DLLs: oci.dll, wlbsctrl.dll and TSVIPSrv.dll, respectively.

The attacker created two DLLs (swprvs.dll and appmgmt.dll) and replaced the legitimate Shadow Copy Provider Service and Application Management Service DLL paths in the registry.

0x0D (13) Reflectively inject the received executable and DLL into memory.

It uses a known technique to try to crash EDR processes, by creating a Registry key named SophosFileScanner.exe in the path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Once connected, the actor harvested credentials using a common technique, “reg save hklm\sam sam”, to target the Security Accounts Manager (SAM) registry hive.

The backdoor retrieves the proxy host and port information for the current user by reading the registry key Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer.

The module also collects user accounts associated with the processes.

Network Manager This plugin lists the network connections in the system... Get information about the list of IPv4 and IPv6 TCP and UDP connections

It then collects details about all running processes on the system, including: Process identifiers; The number of execution threads started by each process; The identifier of the parent process; The fully qualified path of each process executable.

The malware gathers key information about the compromised system: The computer's name is obtained using the GetComputerNameW function... The processor architecture information is acquired using the GetNativeSystemInfo function... The ProductName, EditionID, and CurrentBuildNumber are extracted from the designated registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion

This plugin performs a wide range of file system functions, including: Listing drives, files and folders in the system... Get a list of files and folders at a specified location recursively.

0x0B (11) Perform the operations below to enable and persist an RDP session: Set remote desktop services to autostart... Enable remote desktop connections. Enable concurrent (multiple) RDP sessions.

net . exe use \\ << internal ip >> \ c$ < password > / user : < username >

Upon execution, sensitive data and files were collected from the machine and uploaded to a hard-coded Mongolian government URL ( www.president[.]mn/upload.php ) via cURL.

the overall goal behind the campaign was to maintain access to the target network for cyberespionage... deploying various malware implants for command-and control (C2) communications... Use of multiple persistent C2 channels including Merlin Agent, PhantomNet backdoor, RUDEBIRD malware, EAGERBEE malware, and PowHeartBeat backdoor... Deployment of several samples of... PocoProxy for persistent C2 communications.

0x0D (13) Download a file from the specified URL and write to the specified file path.

Dormant C2 communications via DNS requests and TCP network connections continued for approximately two days.

The malware has the capability to detect the presence of an HTTP proxy configuration on the host machine by inspecting the ProxyEnable registry key within Software\Microsoft\windows\CurrentVersion\Internet Settings . If this key value is set to 1 , the malware extracts the information in the ProxyServer key.

Upon establishing a connection to C2, The malware downloads executable files from C2, likely pushed automatically. It validates that each executable is 64bit, then extracts the entry point and modifies memory protections to allow execution using the VirtualProtect API.

If the C2 port has an “s” appended, an SSL session is initiated. Depending on the configuration, it may use the SCHANNEL security package, which supports SSL and TLS encryption on Windows.

Upon execution, sensitive data and files were collected from the machine and uploaded to a hard-coded Mongolian government URL ( www.president[.]mn/upload.php ) via cURL.

Command Description 0x12 (18) Stop and delete the service.

High prioritization of evasive tactics and tools: ... overwriting ntdll.dll in memory to unhook the Sophos AV agent process from the kernel, abusing AV software for sideloading... Deployment of new EAGERBEE malware variants with updated capability of modifying packets to disrupt security agent network communications.