"An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme. "This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads," Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News. "The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.""
"The starting point of the multi-stage operation is a payload called EggStremeFuel ("mscorsvc.dll") that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent. EggStremeFuel's functions are realized by opening an active communication channel with a command-and-control (C2), enabling it to - Get drive information Start cmd.exe and establish communication via pipes Gracefully close all connections and shutdown Read a file from server and save it to disk"
Bitdefender detected EggStreme activity in early 2024 and attributed a compromise of a Philippines-based military company to a China-linked APT. EggStreme is a tightly integrated, fileless malware framework that injects code into memory and uses DLL sideloading to execute payloads while minimizing disk artifacts. The framework’s entry payload, EggStremeFuel ("mscorsvc.dll"), performs system profiling, opens a C2 channel, and deploys loaders that establish persistence and launch EggStremeAgent. EggStremeAgent functions as a full-featured backdoor supporting extensive reconnaissance, lateral movement, keylogging, data exfiltration, and other remote operations designed to maintain a resilient foothold.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]