‘EggStreme’ framework looks like the sort of thing Beijing would find handy in its ongoing territorial beefs Infosec outfit Bitdefender says it’s spotted a strain of in-memory malware that looks like the work of Chinese advanced persistent threat groups that wanted to achieve persistent access at a “military company” in the Philippines.
According to an analysis released on Wednesday, someone cooked up tools called the “EggStreme Framework” that Bitdefender researchers found “operates with a clear, multi-stage flow designed to establish a resilient foothold on compromised systems.”
The firm’s researchers aren’t sure how attackers infect targets with EggStreme, but spotted a server running it and found multiple components that share characteristics and therefore suggest a sophisticated development effort.
The first component is called “EggStremeFuel”, which Bitdefender says deploys a tool called “EggStremeLoader” to establish a persistent service. Next comes another loader, “EggStremeReflectiveLoader”, which launches the main payload called “EggStremeAgent.”
The agent monitors for new user sessions in Windows and when it finds one injects a keylogger into the active explorer.exe process.
“This agent is a full-featured backdoor with a broad range of capabilities” that Bitdefender’s defenders believe has 58 commands that Bitdefender says allow attackers to launch other tools, the worst of which is a backdoor called “EggStremeWizard” that attackers use to launch “a legitimate binary that sideloads the malicious DLL.”
The malware family can also enable the following nasty outcomes:
- System fingerprinting, by gathering detailed host information;
- Resource enumeration after scanning local and remote network resources;
- Privilege escalation;
- Executing arbitrary commands on the system;
- Data exfiltration;
- File and directory manipulation, including creation, deletion, and modification of files;
- Injecting code into other running processes.
Bitdefender rates the EggStreme family “difficult to detect” as its key components are fileless and run in memory.
“While encrypted malware components are present on the disk, the decrypted malicious code is executed and resides solely in memory, never touching the file system,” the company explains. “This, coupled with the heavy use of DLL sideloading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat.”
The malware’s stealthy techniques (which aren’t unusual in the nasty world of malware) meant someone was able to deploy it at a “military company” in the Philippines. Bitdefender hasn’t explained the nature of that company, a frustrating omission as the term “military company” could describe an entity run by the Philippines’ armed forces, or a defense contractor.
Whatever the nature of the target, Beijing’s motive is clear: China and the Philippines share a long-running dispute over territory in the South China Sea, where the two nations’ navies and coast guards frequently clash. China has a clear interest in the affairs of Filipino military or military-adjacent entities, and may have created malware to gather the intelligence it needs.
China always denies it conducts offensive cyber-ops and says research of this sort is part of an effort to discredit it. ®