Walking on EggStremes.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Martin Zugec: We started seeing some signs of the new malware framework, I want to say, in late 2024, and at this moment, we've collected enough information about the infrastructure itself, about the framework, all the different components, the TTPs of the threat actors, so we decided to make it public.

Dave Bittner: That's Martin Zugec, Technical Solutions Director from Bitdefender. The research we're discussing today is titled "EggStream Malware: Unpacking a New APT Framework Targeting a Philippine Military Company." [ Music ] Well, what stood out to you in this case that made you realize you're looking at something new?

Martin Zugec: A couple of different things. So I would say the most interesting overall thing is that this is a multi-stage tool set, and what I mean by this is that calling something "malware framework" can range from, oh, there are two tools that are kind of similar in the same family to it is a collection of tools that are adopted, for example, from GitHub, all the way to professional frameworks like this one that are used by APT. What I mean by professional frameworks is that, again, this is a multi-stage tool set where each of the tools has a small role. It's really hard to detect, and only if you combine all these components together, you realize that you have something that's incredibly powerful.

Dave Bittner: Well, for folks who may not be familiar with it, can you describe to us what we are talking about when we say that something is "fileless"?

Martin Zugec: Yes. So fileless means, effectively, that the code itself is not touching the disk. The most common definition of fileless, to be honest, it's quite simple. It's PowerShell. There is no script. There is just command line. We also call it fileless. In this case, it's a slightly different definition that we are using because the malware itself, the way -- how it's designed, there is never any decrypted part of the malware itself that is touching the disk. So all the components that we have, when they are present on the disk, they are completely encrypted. Like, the code is inactive. It's just the storage itself. You cannot even decrypt it. As soon as the payload itself is decrypted, it is never touching any disk. It is just running in the memory, injected into different processes, and so on. So, again, in this case, the big differentiation is the decrypted payload itself is never touching any disk anyway.

Dave Bittner: And what challenges does this add to detection?

Martin Zugec: There are a couple of different challenges, so the first one is that scanning the memory is actually much more expensive from a performance perspective. So endpoint security solutions are always balancing what is going to be, pretty much, the ratio between performance and the protection they offer. So, for example, Bitdefender multi-layered security, we are looking at the memory. We have tons of optimizations -- how to do it -- but, again, a lot of endpoint security is kind of ignoring the memory because it's a really expensive operation to perform, so that's number one. Number two is that, for example, in the case of EggStream framework, they are injecting into existing processes. So the behavior that we have seen with EggStream is that it's actually looking if Microsoft Defender is present on the system. If yes, it will inject the malicious payload into Defender. If Defender is not present, then they are going to inject it into Explorer.exe. So, again, the fileless, from detection perspective, it's much harder to build the malware, develop it, but it's also beneficial if you have, really, like, professional detectors because it's much harder to detect.

Dave Bittner: Well, and let's back up for just a second here. What's the story of the name? Why EggStream?

Martin Zugec: I knew you were going to ask that, and to be honest, I have no idea. So when I started working on this research, that was one of the first questions I got, but because we have been monitoring this for so long, no one actually remembered why we decided to give it this name. So it's just all the pieces of the documentation, we were always referring to it as EggStream, and we don't know who gave it the first name. It usually doesn't happen. In this case, I find it really funny.

Dave Bittner: Right. It's a bit of legacy data, right?

Martin Zugec: Exactly. Very often, what happens is that when we do research and we are not sure yet is it going to be significant -- what are we going to find, we just need to name individual components. So here, what we decided is that we will use the prefix EggStream; so we have EggStream Fuel, EggStream Loader, EggStream Reflective Loader, EggStream Agent. So again, because there are multiple different malware components that are part of this tool set, we needed to name them, and someone just came up with a name. And again, like, we couldn't figure out which one it was that originally named a piece of the code EggStream. But it stuck, the name stuck; we like it.

Dave Bittner: [Laughter] Well, I have to say I'm showing great restraint to not channel the old Batman villain, Egghead, and start doing egg-related puns about how "egg-cellent" your research is. I think I just did that. So --

Martin Zugec: There you go.

Dave Bittner: -- the report describes a multi-stage infection chain. Can you take us through, step-by-step what, this process is about how does EggStream take over a system?

Martin Zugec: So the first thing, again, a very common question that we typically get with APT research is questions about initial access. And the reality is -- and this is, again, the same case -- very often we just don't know. APT operations are multi-year operations. You look at a company where they have rotation logs of seven days, and you try to figure something that happened five years ago? Well, good luck with that. So in this case, again, we don't know initial access. We just know it probably happened years ago. The first sign of the attack that we found was, actually, the deployment of the logon script where, on one of the machines, it dropped the winmail.exe, the built-in Windows Mail client, completely legitimate executable. This was not the malware itself. Now, what the attackers actually did is that they didn't only copy the winmail.exe, again, completely legitimate Windows executable, but they also copied another DLL library that was malicious and put it next to this one. So the DLL they used in this case is the mscore-svc.dll. We've seen this actually being used in multiple attacks by Chinese APTs. At this moment, I would say, this is part of the curriculum of offensive security for these groups, so we are seeing this particular library being abused and hijacked all the time. So what I mean by being abused, this is a classic example of the DLL sideloading I actually wrote an explainer about what it is when this technique was relatively uncommon and rare. So if you Google DLL sideloading, the first hit you are going to get is the explainer that I wrote. Really, the way -- how this works is that you launch executable -- like the winmail.exe -- and what it's going to do is that it has a list of libraries that it needs to function, and it is going to look for those libraries in multiple locations. In the typical scenario, it's going to load them from the System32 folder, but there is one location that is the first one, and that is the same folder where the executable is running from. So in the past, many years, 20 years ago, we used this trick to pretty much fix DLL incompatibilities. If you needed different versions of the DLL, you would just put it in the same folder as executable. Today, it's mostly attackers that are using it because what they will do is that they have legitimate executable. They put a malicious library with the same name and exported function name as the real library, so what's going to happen is you run the executable itself. It's going to find this malicious library next to it, and it's going to execute it. So something that is much harder to detect unless your endpoint security is aware of this DLL sideloading technique. So again, today, I would say this is a classic example, and we are seeing this technique adopted by pretty much all the Chinese APT groups, so, yeah, a very common part of the playbook.

Dave Bittner: You mentioned that there are multiple elements to this, and one of them is the EggStream agent backdoor, and that supports, what, 58 or so commands? What do these things let the attackers do once they're in a compromised network?

Martin Zugec: Yes, so we are actually going through multiple stages, so the first one I was talking about, that "EggStream fuel." That's the first stage. Then we are going to have two additional loaders. And finally, the final payload is going to be, as you mentioned, the EggStream Agent. So in total, there are 58 commands that it supports, and it's everything from the system fingerprinting, getting detailed host information, resource enumeration, so scanning local remote network resources, privilege escalation, different types of command execution, data exfiltration, lateral movement, process injection, so everything you can imagine. The way -- how this works is the command and control server doesn't actually send any code. It's just telling EggStream Agent the numbers. Yeah, so for example, numbers, if I'm the command and control server and I send just number 17 to the implant, it's going to give me back the configuration of the agent, and every number means something. So the numerical IDs they are using are ranging from 0 to 66. Some of the numbers are missing, probably some kind of development and testing, so we're documenting the 58 different commands that are available, again, from some very basic stuff to really advanced lateral movement and advanced execution and privilege escalation. [ Music ]

Dave Bittner: We'll be right back. [ Music ] Well, you mentioned China. What else do we know about who might be behind this and what their goals are?

Martin Zugec: So we don't really know which APT group it is. We spent a lot of time on attribution, but to be honest, all the links that we found were so weak that we just decided to skip the attribution in this case because, again, one of the techniques that we've seen here was the DLL sideloading. Today, we see the same technique adopted by all the different Chinese APT groups. So instead of giving the attribution when it's really weak, in this case, we just decided we will attribute it to an interest, not to a specific group. We have seen, actually, quite a lot of misattributions for Chinese APTs in the region. One of the things they like to do is kind of leaving a little bit of, like, misdirection behind. So one thing we noticed is last year we documented a new group, Unfading Sea Haze. We mapped all the infrastructure, everything they are doing. We've seen multiple researchers that actually attributed that piece of malware, only the small part of the operation that we uncovered, to Russians because there were some comments in "en has Bucha" [phonetic] for example. That is very common. We see that all the time. So, for example, in EggStream malware, I think there is one decryption string, which is, like, "USA is the best." Again, like, these kinds of misdirections and clues, they are, like, a typical sign of the craftsmanship of the Chinese APTs. So, again, the interest -- again, this was in the Philippines, a military company, aligns -- and what they were going after, aligns with Chinese interests, but we cannot attribute this to any specific group.

Dave Bittner: Okay. Well, let's talk about persistence and stealth then. They were able to stay hidden for quite a long time, and you mentioned in the research that they were abusing some legitimate Windows services. Can you describe those for us?

Martin Zugec: Yes, so it was, actually, a really simple method that they are using. Instead of creating new services that can be detected, they were just looking for services that existed already on the Windows machine but were disabled or set up to run manual. So a couple of examples, I remember there was group policy software deployment, the app management, for example. There was also the software-based management for shadow volume copies, not the VSS itself, just the management layer itself, iSCSI service, for example, and what they did was very simple. In some cases, we've just seen them redirecting the DLL that will be loaded by the service. Very often, they just removed, like, one letter. So, for example, the group policy software deployment is app.mgmt.dll, and they use app.mgmt.s.dll, so something that is really hard to spot. In other cases, they actually redirected -- they either replaced the DLL file, so they didn't touch the service configuration, but they changed the destination file. Or in other cases, they actually changed the configuration, so kept the original library, put the new malicious library, and changed what the service itself is going to execute. So a bunch of both, we've seen different approaches. That's quite common. Now, for the persistence itself, we can talk about loaders, because that was also quite interesting how they handled this.

Dave Bittner: Yeah, let's hear it.

Martin Zugec: Okay. So as I was saying, what they did is they hijacked one of the Windows services. At the end, what they were executing was the EggStream Loader, and this loader is executed every 10 minutes by default. All it's doing is that it is just looking at the file on the disk, and that file contains an encrypted collection of malware. What I mean by this is the EggStream Loader knew specifically that, for example, the first four bytes of the file are going to define the length of the second segment that needs to be extracted from that file, and the remainder of the file after is EggStream Agent. So, again, it was not as simple as just decrypting the file. It was really one file that contained a collection of the malware, and you needed to know exactly how to extract it from that file. So what it was doing, the EggStream Loader, the service itself, is it would look at this file,.mui, the multi-user interface file. It would read the first four bytes, which is going to tell it the length of the second segment. The second segment itself is going to be EggStream Reflective Loader, so Reflective Loader is going to be injected into the winlogon.exe. We are going to have the second malware that will be injected in the winlogon.exe. What this one is going to do is that it will go back to the multi-user interface file. It will read the last segment, that is the EggStream agent, and then, it's going to have a look. Do I have Microsoft Defender on the system? If yes, I'm going to inject it there. If not, I'm going to inject it into Explorer.exe. Explorer.exe, this is the moment when we have the main backdoor, the EggStream Agent, running. We can also talk about what the EggStream Agent itself was doing, how it was monitoring the environment. EggStream Agent, and we've seen a couple of different versions injected in different ways. All of this is documented in the research itself. What it was doing is that we've seen it also, again, supporting 58 different commands, like, anything you might wish to do. We've seen two special cases. One was that on a couple of different occasions, it dropped another backdoor that we called EggStream Wizard, very lightweight, using the DLL sideloading. As I mentioned, again, part of this framework approach is that we've seen the consistent use of advanced techniques across different pieces of the malware. More importantly, this, actually, also, deployed the EggStream Keylogger, which was responsible for getting the information out of the system. So the EggStream Keylogger is monitoring the system. It's looking for notifications that there is a new user that has logged in. When the user logged in, the malware is going to wait for the child process, explorer.exe, meaning interactive session. When this process is launched, the malware is going to decrypt the EggStream Keylogger, again, from the.mui file and is going to inject it into this new users Explorer.exe, so we will have multiple injections. So the keylogger itself is, of course, going to lock all the keys. That's not surprising, but it's also going to monitor the clipboard, exfiltrate the data. It had a bunch of different functionality, how to exfiltrate all this data.

Dave Bittner: How do you rate the sophistication of this threat actor?

Martin Zugec: Very high. So, again, it's one thing to develop a piece of malware, especially if it's just a variation of something that is on the GitHub. It is completely different to develop the malware from scratch. That is -- and, again, if we are talking about advanced malware that is using DLL sideloading, running fileless in memory, injecting itself into different processes, and you have multiple components that work together to achieve the goal, this was a really sophisticated malware that we were monitoring.

Dave Bittner: Well, you mentioned that they were targeting an organization in the Philippines. Just more broadly, what should security teams be taking away from this research?

Martin Zugec: So, broadly, what I would say is we have seen -- what we are seeing with APT groups are two different behaviors. The first one is how they move around the environment. And here, at this stage, they are heavily relying on living off the land attack techniques. They are using LOLBins. They are pretty much relying on the tools that exist on the network, so this initial stage -- how they get in, how they move around -- it's very similar to financially motivated threat actors. It is the same playbook, effectively, but at the end, the final stage of the attack for them is continuous exfiltration of the data. So what they -- and here is the difference between, for example, ransomware affiliates and APT groups, because APT group, for the final stage of the attack, they are typically relying on the custom-made malware; while the ransomware affiliates, again, typically, stay with living off the land attack techniques. So what I would suggest, or what typically are the recommendations are, of course, the same: defense and that multi-layered security. That is, staying the same for a really long time and is still, like, the best recommendation, but try to proactively limit or block LOLBins, because, again, that is how they get to that final stage. Another thing that we see all the time in our investigations, make sure that you have detection and response capabilities -- so EDR, XDR solutions -- properly deployed and configured. One of the things that we are seeing is that most of the attacks originate from unmanaged devices. So it's very common that, again, there is just no visibility into the attack until it's too late. And finally, the second thing that we are also seeing with investigations quite frequently is there is EDR or XDR deployed in the environment, but no one is monitoring it. So at the end, when we look back after our investigation, very often we see there are red flags all over the place. All the security controls are working, have been raising alerts, but there is no SOC or MDR team that would respond in the time. So all these red flags were just ignored or not monitored, and that's how the attack succeeded at the end. So have the tools and make sure that you have people that have the skills and, of course, have the headcounts to actually respond to those. [ Music ]

Dave Bittner: Our thanks to Martin Zugec from Bitdefender for joining us. The research is titled "EggStream Malware: Unpacking a New APT Framework Targeting a Philippine Military Company." We'll have a link in the show notes, and that's "Research Saturday" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to CyberWire@n2k.com. This episode is produced by Liz Stokes. We're mixed by Elliot Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Peter Kilpie is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]