Advanced Persistent Threat (APT) Group from China is attributing a compromise from a Philippines-based military company using a previously undocumented files malware framework Egg stream.
“This multi-stage toolset delivers sustained and modest espionage by injecting malicious code directly into memory and leveraging DLL sideloads to execute payloads,” Bitdefender researcher Bogdan Zavadovschi said in a report shared with Hacker News.
“The core component, the Egg Stremy-grade, is a full-featured backdoor that allows for extensive system reconnaissance, lateral movement, and data theft through injected keyloggers.”
The targeting of the Philippines is like a recurring pattern of Chinese state-sponsored hacking groups in light of geopolitical tensions driven by the South China Sea territorial disputes between China, Vietnam, the Philippines, Taiwan, Malaysia and Brunei.
Romanian cybersecurity vendors, which first detected signs of malicious activity in early 2024, described the egg stream as a closely integrated set of malicious components designed to establish a “resilient scaffolding” for infected machines.
The starting point for multi-stage operations is a payload called eggstremefuel (“mscorsvc.dll”), which performs system profiling, deploys the eggs stremeloader to set sustainability, runs the eggs streme loader, and deploys the eggs streme loader that runs the eggs streme senste.
Eggstremefuel’s functionality is achieved by opening active communication channels in Command and Control (C2) and making it possible –
- Get drive information
- Start CMD.exe and establish communication via the pipe
- Gracefully close and shut down all connections
- Read files from the server and save them to disk
- Reads a local file from a specific path and sends its content
- Send an external IP address by making a request to myexternallip(.)com/raw
- Dump in-memory configuration to disk
Calling Eggstremeagent the framework’s “CNS” backdoors monitor new user sessions and inject each session with a KeyLogger component called EggstremekeyLogger to harvest keystrokes and other sensitive data. It communicates with the C2 server using the Google Remote Procedure Call (GRPC) protocol.
It supports impressive 58 commands including the auxiliary Implant Kounums Bat Egg Stremigers (“xwizards.dll”) by enabling a wide range of functions and facilitating local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data removal, and payload injection.
“Attackers use this to launch legal binaries that sideload malicious dlls, which is a technique that is consistently exploited across the attack chain,” Zabadowski pointed out.
“This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers to increase resilience and to maintain communication with the attacker even when a single C2 server is filmed offline.”
This activity is also characterized by using a storeway proxy utility to establish a foothold for the internal network. More complex detection is the clever nature of the framework, loading and executing malicious code directly into memory without leaving traces on disk.
“This, coupled with the heavy use of DLL sideloads and sophisticated multi-stage execution flows, makes the framework work inconspicuous and a critical and lasting threat,” Bitdefender said.
“The Eggstreme Malware family is a highly refined, multicomponent threat designed to achieve sustained access, lateral movement, and data removal. Threat actors demonstrate a sophisticated understanding of modern defense techniques by employing a variety of tactics to avoid detection.”
