Cybersecurity researchers at Bitdefender have identified a new, highly sophisticated malware framework called EggStreme, which is being used by a China-based APT group to spy on military organizations in the Asia-Pacific region. This discovery came after an investigation into a security breach at a military company in the Philippines. The researchers describe the malware as a “unified” system where its components work together seamlessly. The attack starts with a loader called EggStremeFuel, which sets up the environment before the main payload is delivered. The ultimate goal is to deploy EggStremeAgent, a full-featured backdoor capable of reconnaissance, data theft, and modifying or deleting files.
The EggStreme framework is particularly difficult to detect because it operates as fileless malware. While encrypted modules may exist on the disk, the actual malicious payloads are only decrypted and executed in memory, leaving little to no trace for security software to find. This technique, combined with DLL sideloading, makes the framework very stealthy and hard to spot.
The main backdoor, EggStreme Agent, is a powerful tool with 58 different commands. It can collect system data, manipulate files, run commands, and inject additional payloads. It also injects a keylogger into explorer.exe every time a new user session begins, allowing it to monitor keystrokes and clipboard data. The malware uses encrypted gRPC (Google Remote Procedure Call) channels for secure communication with its command-and-control servers.
To ensure they maintain access, the attackers use a secondary tool called EggStremeWizard. This lighter backdoor also uses a DLL sideloading trick with xwizard.exe and has its own list of fallback servers to maintain a persistent connection. Additionally, the framework includes a proxy tool named Stowaway, which allows the attackers to route traffic within a victim’s network, effectively bypassing security measures like network segmentation and firewalls.
Bitdefender warns that the campaign is still active and recommends that organizations in the region apply the published indicators of compromise to protect themselves. For technical details and a list of these indicators, they have provided information through their IntelliZone Portal and public GitHub repository.
Reference:
