BleepingComputer reports that Middle Eastern government entities and internet service providers have been targeted with attacks involving novel Eagerbee malware framework variants that may be associated with the CoughingDown threat operation.
Intrusions with Eagerbee — which had been deployed against South Asian organizations through the targeting of the Microsoft Exchange ProxyLogon bug, tracked as CVE-2021-26855 — involved the delivery of a payload file-loading injector, which is executed upon system start before commencing the exploitation of Themes, SessionEnv, MSDTC, and IKEEXT to facilitate in-memory backdoor writing, according to an analysis from Sophos researchers. After gathering operating system information, network addresses, and other details, Eagerbee creates a TCP/SSL channel to enable the injection of the File Manager Plugin for file permission modifications and volume label management and the Process Manager Plugin for command line execution, as well as the Remote Access Manager, Service Manager, and Network Manager plugins, said researchers. Immediate patching of Exchange servers vulnerable to ProxyLogon has been recommended.