China-related threat actors deployed a new fileless malware against the Philippines military

News
By published

An unknown threat actor with an unknown malware framework

China
(Image credit: Shutterstock)
  • EggStreme is a stealthy, fileless malware framework used by a Chinese threat actor to target a Philippine military company
  • It includes six modular components, enabling reverse shell access, payload injection, keylogging, and persistent espionage
  • Attribution remains uncertain, but the attack’s objectives align with known Chinese APT tactics across APAC and beyond

A Chinese threat actor attacked a Philippine military company with a never-before-seen, fileless malware framework, researchers warned.

Earlier this week, cybersecurity outfit Bitdefender published an in-depth report about EggStreme, a “multi-stage toolset that achieves low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads.”

It counts six different components: EggStremeFuel (initial loader DLL, sideloaded via a legitimate binary and establishes a reverse shell), EggStremeLoader (reads encrypted payloads and injects them into processes), EggStremeReflectiveLoader (decrypts and injects the final payload), EggStremeAgent (main backdoor implant with 58 commands), EggStremeKeylogger (grabs keystrokes and sensitive user data), and EggStremeWizard (secondary backdoor for redundancy).

Sideloading DLLs

Bitdefender tried to link the framework to known Chinese APT players, but failed to find a plausible connection, The Hacker News reported. "We put quite a lot of effort into attribution efforts, but couldn't find anything," Martin Zugec, technical solutions director at Bitdefender, told the publication. "However, objectives align with Chinese APTs. For this one, our attribution is based on interests/objectives."

The objectives for this one, it seems, are cyber-espionage, reconnaissance, and long-term, low-profile persistence, something Chinese actors are known for - not just in the Philippines, but elsewhere in the region (Vietnam, Taiwan, and other neighboring countries), as well as around the world.

Salt Typhoon is perhaps the most documented Chinese APT out there, and it was recently caught in numerous telecommunications service provider companies in the US.

The EggStreme malware framework is delivered via a side-loaded DLL file. This file was activated using trusted executables, allowing it to bypass security controls. However, how the DLL file was dropped onto the victim’s device in the first place, remains unknown.

Usual methods include supply chain compromise, deploying the DLL manually (via previously obtained access), or through drive-by compromise and lateral movement.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.