Login

Promote Your Company       |     Contact

Independent Cyber News.

Bitdefender Report: New APT Framework Targeting a Philippine Military Company
This report analyses a sophisticated cyber-attack targeting a military company based in the Philippines, which led to the discovery of a new and advanced malware toolset. Based on the target’s strategic value and the geopolitical context of the South China Sea, the attackers’ tactics, techniques, and procedures (TTPs) are consistent with those of Chinese APT […]
East Asia and Pacific | Geo-Political & Military | Government & Policy | National Security | Reports & Predictions | South Asia | Threat Intelligence
Posted: Thursday, Sep 11
  • KBI.Media
  • $
  • Bitdefender Report: New APT Framework Targeting a Philippine Military Company
Bitdefender Report: New APT Framework Targeting a Philippine Military Company

This report analyses a sophisticated cyber-attack targeting a military company based in the Philippines, which led to the discovery of a new and advanced malware toolset. Based on the target’s strategic value and the geopolitical context of the South China Sea, the attackers’ tactics, techniques, and procedures (TTPs) are consistent with those of Chinese APT groups. The attackers’ primary focus was to achieve persistent access for long-term espionage and surveillance, highlighting the work of a highly professional threat actor whose objectives align with known national interests.

The core of our findings centres on the EggStreme framework, a tightly integrated set of malicious components. Unlike traditional malware, this framework operates with a clear, multi-stage flow designed to establish a resilient foothold on compromised systems. The attack begins with EggStremeFuel, which deploys EggStremeLoader to set up a persistent service. This loader then executes the EggStremeReflectiveLoader, which in turn launches the main EggStremeAgent.

The EggStremeAgent is the central nervous system of the framework. It operates by monitoring new user sessions and, for every new session detected, it injects the EggStremeKeylogger into the active explorer.exe process to silently collect keystrokes and other sensitive data. This agent is a full-featured backdoor with a broad range of capabilities. Its 58 commands enable the attackers to perform extensive local and network discovery, enumerate system resources, execute arbitrary shellcode, lateral movement, or inject other payloads, most notably the EggStremeWizard backdoor. The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain.

What makes this framework difficult to detect is its fileless nature. While encrypted malware components are present on the disk, the decrypted malicious code is executed and resides solely in memory, never touching the file system. This, coupled with the heavy use of DLL sideloading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat.

Technical Analysis Overview

The first sign of malicious activity that triggered our investigation in early 2024 was the execution of a logon batch script from a server message block (SMB) share. The exact method by which the script was placed on the SMB share is unknown and remains a key area of investigation.

The script’s primary function was to deploy two files to the Windows directory: a legitimate Windows binary and a malicious dynamic-link library (DLL). This is a classic example of DLL sideloading (read our explainer), a technique where an attacker places a malicious DLL in a location where a legitimate program will search for it. When the legitimate binary is executed, it loads the malicious DLL instead of the system’s original version. This allows the attacker to execute their malicious code under the guise of a trusted program, bypassing many security controls.

The malicious mscorsvc.dll is the first stage of the attack chain, referred to as EggStremeFuel. This component serves as a loader and is responsible for setting up the environment for the final payload. EggStremeFuel includes capabilities for system fingerprinting, which allows the attacker to gather information about the compromised machine. Its most critical function is to establish a reverse shell, which it does by invoking a command prompt and creating a communication channel with the command-and-control (C2) server using read-write pipes. This provides the attacker with a remote command-line interface on the compromised system.

To maintain a persistent presence, the attacker abused several disabled Windows services. This was accomplished by either altering the service’s associated registry key to point to a malicious executable or by directly replacing the legitimate service binary with their own. In both scenarios, the attacker configured the service to run with SeDebugPrivilege, a highly elevated right that allows a process to debug and access the memory of other processes on the system.

The malicious binary executed by these services is named EggStremeLoader. This component is responsible for reading a file that contains both the encrypted EggStremeReflectiveLoader and the EggStremeAgent payload. After decrypting the reflective loader, it injects it into a trusted process. The EggStremeReflectiveLoader uses a token from its host process to spawn a new, suspended process. It then decrypts and injects the final payload, the EggStremeAgent, into this new process.

This final implant, named EggStremeAgent, is a sophisticated backdoor that communicates with the C2 server using the gRPC protocol. gRPC is a modern, high-performance, open-source framework for building remote procedure calls (RPCs).

EggStremeAgent is feature-rich, supporting a total of 58 distinct commands. These commands enable a wide range of capabilities, including:

  • System Fingerprinting: Gathering detailed host information.
  • Resource Enumeration: Scanning local and remote network resources.
  • Privilege Escalation: Gaining higher-level permissions.
  • Command Execution: Running arbitrary commands on the system.
  • Data Exfiltration: Stealing sensitive data.
  • File and Directory Manipulation: Creating, deleting, and modifying files.
  • Process Injection: Injecting code into other running processes.

On several machines, a secondary, more lightweight backdoor was observed. The attacker used the legitimate xwizard.exe to sideload a malicious DLL named xwizards.dll, which has been named EggStremeWizard. This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience and ensuring that communication with the attacker can be maintained even if one C2 server is taken offline.

Persistence

After gaining access to the infrastructure through their initially deployed backdoor, EggStremeFuel, the attackers shifted their focus to establishing a stealthy form of persistence. To avoid detection, they leveraged legitimate Windows services that are not enabled by default – those configured with a startup type of Manual or Disabled. This allowed them to blend into normal system operations while maintaining access. Across multiple compromised machines, the following services were observed being abused:

The persistence setup varied across machines, but two main approaches were identified. In the first, upon gaining access to a new machine, the attackers deployed the initial backdoor, EggStremeFuel, and used its reverse shell capabilities to manually execute the required commands. In other cases, tools resembling Impacket were observed being used to run commands manually.

When persistence was set up manually, the attackers altered file permissions, granted SeDebugPrivilege to the targeted service, and then started that service. A conceptual sequence of these commands is provided below:

In this sequence, a temporary malicious file named svchost.dat (which contains the malicious code) is renamed to a legitimate-looking filename, appmgmts.dll, to evade detection. In other cases, instead of simply replacing the existing DLL file, the attackers modified the ServiceDLL registry value to load a malicious DLL in place of the legitimate one.

Every analysed configuration file for the EggStremeAgent consistently used the same certificate authority (CA). This CA, identified by its unique Subject Key Identifier, acted as the trusted root for the attackers’ entire infrastructure. It issued certificates to all the C2 servers, enabling secure, mutual TLS communications. By using the unique identifier from the certificate authority as a starting point, we were able to find other C2 servers that were also linked to it, ultimately revealing more of the attackers’ network.

Our investigation discovered a C2 server, which used a certificate for the domain fsstore[.]org. We then found a newer certificate for that same domain on a different IP, 45.115.224.163. The unique Authority Key Identifier on this new certificate suggests the attackers are actively refreshing their infrastructure. This identifier can be used to uncover other C2 IP addresses tied to the campaign, giving us a clearer view of their updated network.

Conclusion and Recommendations

The EggStreme malware family is a highly sophisticated and multi-component threat designed to achieve persistent access, lateral movement, and data exfiltration. The threat actor demonstrates an advanced understanding of modern defensive techniques by employing a variety of tactics to evade detection.

This modular, fileless, and living-off-the-land (LOL) approach highlights a significant shift in adversary tradecraft. The threat is not a collection of individual executables but a dynamic, multi-stage operation that leverages legitimate tools and system behaviours to remain undetected.

To effectively counter threats like EggStreme, security practitioners must adopt a defence-in-depth strategy.

  • Proactively Limit LOLBins: Proactively reduce your attack surface by limiting the use of legitimate but high-risk binaries. Implement Proactive Hardening and Attack Surface Reduction (PHASR) to restrict built-in tools like wmic.exe and other LOLBin attacks.
  • Adopt Detection and Response Capabilities: A robust security platform like Bitdefender GravityZone with strong EDR/XDR capabilities is essential. These platforms are essential for correlating events across multiple endpoints to identify complex attack chains and detect behavioural anomalies that bypass prevention layers. This is critical for catching an event like msdt.exe spawning cmd.exe or xwizard.exe running from an unusual directory. You can learn more about EDR/XDR technology on the Bitdefender TechZone website.
  • Consider Managed Detection and Response (MDR) for Operational Gaps: For organisations without a dedicated security operations centre (SOC) team or operating with a lean security staff, adopting Managed Detection and Response (MDR) services offers an effective solution. MDR effectively acts as an extension of an in-house team, providing 24/7 expert threat hunting, rapid incident response, and continuous monitoring.

By focusing on these areas, organisations can build a more resilient security posture, capable of detecting and responding to even the most covert and persistent adversaries.

In Other News…

No results found.
All Press Releases

Recent Articles

No results found.
Article Archives
Share This