- Eggstreme is a furtive malware and wireless software frame used by a Chinese threat actor to target a Filipino military company
- It includes six modular components, allowing access to the reverse shell, an injection of payload, keylogging and persistent espionage
- The attribution remains uncertain, but the objectives of the attack align with the known Chinese tactics through the apac and beyond
A Chinese threat player attacked a Filipino military company with an unshakeable and inevitable malware, warned researchers.
Earlier this week, the Bitdefender cybersecurity hold has published an in-depth report on Eggstreme, a “set of multi-stage tools which reaches low profile spying by injecting the malicious code directly into memory and by pulling the engine of the DLL to execute useful loads”.
It has six different components: eggstremefuel (DLL of initial charger, entered via a legitimate binary and establishes an inverted shell), eggtremeleader (bed the encrypted useful loads and injects them into a process), eggstrererefleativeloder (decrypts and injects the final payload), Eggstremegenterererererere. EggstremeKeyLogger (Enter keys and sensitive user data) and Eggtremewizard (secondary stolen door for redundancy).
Breeding DLLS
Bitdefender has tried to link the known Chinese players the frame, but failed to find a plausible connection, The Hacker News reported. “We have put a lot of efforts in the allocation efforts, but we did not find anything,” said Martin Zugec, director of technical solutions at Bitdefender, to the publication. “However, the objectives align with the Chinese Apts. For this one, our attribution is based on interest / objectives.”
The objectives of this one, it seems, are cyber-spying, recognition and long-term persistence in low profile, which Chinese actors are known-not only in the Philippines, but elsewhere in the region (Vietnam, Taiwan and other neighboring countries), as well as in the world.
Salt Typhoon may be the most documented Chinese, and has recently been taken in many telecommunications service providers in the United States.
The Eggstreme malware framework is delivered via a lateral loading DLL file. This file has been activated using trusted executables, allowing it to bypass security controls. However, the way the DLL file was filed on the victim’s device in the first place, remains unknown.
The usual methods include the compromise of the supply chain, the deployment of the DLL manually (via the access previously obtained), or through compromise by car and lateral movement.
Via The Hacker News
