A beforehand unknown superior persistent risk (APT) group has unleashed a brand new fileless malware framework, dubbed EggStreme, in a extremely focused espionage marketing campaign towards strategic organizations.
Rising in early 2024, EggStreme exploits the authentic Home windows Mail executable (WinMail[.]exe) to sideload a malicious library, permitting attackers to realize in-memory code execution with out writing decrypted payloads to disk.
This method evades conventional file-based defenses and has set off alarms amongst safety groups working in delicate sectors.
The assault chain begins when a logon script delivered by way of an uncovered SMB share executes WinMail[.]exe from the consumer’s AppData listing.
As an alternative of loading the real .NET runtime library, the binary inadvertently masses mscorsvc[.]dll, which comprises the primary stage loader.
As soon as loaded, this DLL establishes a reverse shell by invoking cmd[.]exe and creating learn/write pipes to a command-and-control (C2) server.
Lateral motion and persistence are then orchestrated via hijacked Home windows providers that run with elevated privileges.
Bitdefender analysts famous that the EggStreme framework consists of a number of tightly built-in parts, every chargeable for a definite part of the operation.
The EggStremeLoader, registered as a service, reads an encrypted payload file (ielowutil[.]exe[.]mui) and extracts two extra layers: a reflective loader and the core backdoor agent.
By leveraging reflective injection into trusted processes like winlogon.exe or explorer.exe, the adversary ensures steady execution in reminiscence.
This multi-stage method, with every layer decrypted and injected solely when wanted, makes detection exceedingly troublesome.
In its closing type, the EggStremeAgent establishes a gRPC-based communication channel secured by mutual TLS, authenticating with certificates issued by a shared malicious certificates authority.
EggStreme multi-stage an infection stream (Supply – Bitdefender)
As soon as the backdoor is in reminiscence, its 58 instructions allow distant fingerprinting, file manipulation, registry operations, course of injection, and complicated lateral motion similar to RPC scans and WMIC-based distant course of creation.
An infection Mechanism and DLL Sideloading
EggStreme’s preliminary an infection leverages a refined however highly effective code snippet to hijack the search order for Home windows libraries.
EggStremeWizard (Supply – Bitdefender)
By inserting a malicious DLL alongside WinMail.exe, the malware forces the authentic binary to load attacker-controlled code. A consultant snippet is proven beneath:-
// Pseudo-code illustrating DLL sideloading
HANDLE hModule = LoadLibraryA(“mscorsvc[.]dll”);
if (hModule) {
FARPROC pFunc = GetProcAddress(hModule, “CorBindToRuntime”);
if (pFunc) {
pFunc();
}
}
When WinMail.exe calls LoadLibraryA(“mscorsvc[.]dll”), the Home windows loader searches the native listing first, discovering the malicious DLL as an alternative of the system model.
The loader decrypts its payload utilizing an RC4 key (“Cookies”), checks for an on-disk configuration at %APPDATApercentMicrosoftWindowsCookiesCookies[.]dat, and updates its in-memory C2 record accordingly.
The preliminary handshake contains a 32-byte RC4-encrypted key change, guaranteeing integrity earlier than the shell is created.
Persistence is achieved via two complementary approaches. In some situations, the attackers alter the ServiceDLL registry worth below HKLMSYSTEMCurrentControlSetServicesParameters to level to a malicious DLL.
In others, they exchange service binaries and grant SeDebugPrivilege, permitting the malicious payload to run below the context of a trusted Home windows service.
Each strategies be sure that EggStreme parts are reloaded on each reboot, sustaining a resilient foothold.
Increase your SOC and assist your group defend your enterprise with free top-notch risk intelligence: Request TI Lookup Premium Trial.
