An advanced persistent threat (APT) group from China has been linked to a cyber attack on a military company in the Philippines, utilizing a sophisticated fileless malware framework known as EggStreme. This malware operates by injecting malicious code directly into the system’s memory, employing techniques like DLL sideloading to execute its payloads without leaving typical traces.
Bitdefender researcher Bogdan Zavadovschi reported that the primary component, EggStremeAgent, functions as a backdoor tool, facilitating extensive reconnaissance, lateral movement within affected systems, and data theft, including the use of a keylogger.
The Philippines has been a recurrent target for Chinese state-sponsored hacking, especially amid rising geopolitical tensions in the South China Sea, which involve disputes between China, Vietnam, the Philippines, and other nations in the region.
Bitdefender first identified traces of this malware in early 2024, describing EggStreme as a cohesive set of malicious tools designed to maintain persistent access on compromised machines. The initial stage kicks off with a payload dubbed EggStremeFuel, which profiles the target system, followed by EggStremeLoader to ensure persistence, ultimately leading to the activation of EggStremeAgent.
EggStremeFuel manages a range of functionalities, including system profiling and establishing a communication channel with a command-and-control server, enabling it to gather system data, execute harmful commands, and facilitate data transfer. It plays a pivotal role in the malware’s operations, as it regularly communicates with its C2 infrastructure, using protocols that allow diverse command executions to maneuver through the network securely.
The framework’s central hub, EggStremeAgent, tracks user sessions and introduces a keylogger for each session to capture sensitive information. The backdoor connects to its command server through Google’s Remote Procedure Call (gRPC), showcasing its advanced capabilities.
Additionally, the malware incorporates a secondary backdoor, codenamed EggStremeWizard, which grants reverse shell access along with file upload and download functionalities. Its meticulous design includes a roster of multiple command-and-control servers, enhancing its resilience against shutdown attempts.
The threat landscape is further complicated by the framework’s fileless nature, executing code directly in memory with no traces left behind, complemented by DLL sideloading techniques that help evade detection. This sophisticated and multi-faceted attack method positions EggStreme as a formidable threat to security.
Bitdefender emphasized that the EggStreme malware family represents a highly advanced and multi-layered risk, adept at achieving ongoing access, facilitating lateral movement, and exfiltrating data while demonstrating a significant understanding of contemporary defensive strategies.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.