Walking on EggStremes. [Research Saturday]

A

You're listening to the Cyberwire Network, powered by N2K.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Hello everyone and welcome to the Cyberwires Research Saturday I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

A

We started seeing some signs of the new malware framework, I want to say in late 2024 and at this moment we collected enough information about the infrastructure itself, about the framework, all the different components, the TTPs of the threat actor, so we decided to make it public.

B

That's Martin Zujic, Technical Solutions Director from Bitdefender. The research we're discussing today is titled Eggstream Unpacking a new APT framework targeting a Philippine military company. Well, what stood out to you in this case that made you realize you're looking at something new?

A

A couple of different things. So I would say the the most interesting overall thing is that this is multi stage tool. What I mean by this is that calling something malware framework can arrange from or there are two tools that are kind of similar in the same family to it is a collection of tools that are adopted for example from GitHub all the way to professional frameworks like this one that are used by apt and what I mean by professional frameworks is that again this is multi stage tool tool set where each of the tools has small goal it's really hard to detect and only if you combine all these components together you realize that you have something that's incredibly powerful.

B

Well, for folks who may not be familiar with it, can you describe to us what we are talking about when we Say that something is fileless.

A

Yes. So fileless means effectively that the code itself is not touching the disk. And the most common definition of fileless, to be honest, it's Quite simple. It's PowerShell. There is no script, there is just command line. We also call it fileless. In this case it's slightly different definition that we are using because the malware itself, the way how it's designed, there is never any decrypted part of the malware itself that is touching the disk. So all the components that we have, when they are present on the disk, they are completely encrypted, like the code is inactive. It's just the storage itself, you cannot even decrypt it. As soon as the payload itself is decrypted, it is never touching any disk. It is just running in the memory, injected into different processes and so on. So again in this case the big differentiation is the decrypted payload itself is never touching any disk anyway.

B

And what challenges does this add to detection?

A

There are a couple of different challenges. So the first one is that scanning the memory is actually much more expensive from performance perspective. So endpoint security solutions are always balancing what is going to be pretty much the ratio between performance and the protection they offer. So for example BitFender multi layered security, we are looking at the memory, we have tons of optimizations how to do it. But again a lot of endpoint security are kind of ignoring the memory because it's really expensive operation to perform. So that's number one. Number two is that for example in the case of Extreme framework they are injecting into existing processes. So the behavior that we have seen with Extreme is that it's actually looking if Microsoft Defender is present on the system. If yes, it will inject the malicious payload into Defender. If Defender is not present, then they are going to inject it into Exploring Exe. So again the file as from detection perspective it's much harder to build the malware, develop it, but it's also beneficial if you have really like professional detectors because it's much harder to detect.

B

Well, and let's back up for just a second here. What's the story of the name? Why eggstream?

A

I knew you are going to ask that and to be honest, I have no idea. So I when I started working on this research that was one of the first questions I got. But because we have been monitoring this for so long, no one actually remembered why we decided to give it this name. So it's just all the pieces of the documentation we were always Referring to it as EGG Extreme and we don't know who gave it the first name. It usually doesn't happen. In this case I find it really funny.

B

Right. It's a bit of a legacy data, right?

A

Exactly. Very often what happens is that when we do research and we are not sure yet is it going to be significant, what are we going to find? We just need to name individual components. So here what we decided is that we will use the prefix X team. So we have X Stream Fuel Extreme Loader, X Stream Reflective Loader, the X Team Agent. So again, because there are multiple different malware components that are part of this toolset, we needed to name them and someone just came up with the name and again we couldn't figure out which one it was. That originally named piece of the code, X Team. But it sticks. The name stick. We like it.

B

Well, I have to say I'm showing great restraint to not channel the old Batman villain Egghead and start doing egg related puns about how egg research is. I think I just did that.

A

There you go.

B

The report describes a multi stage infection chain. Can you take us through step by step what this process is about? How does eggstream take over a system?

A

So the first thing, again very common question that we typically get with APT research is questions about initial access. And the reality is, and this is again the same case very often we just don't know. APT operations are multi year operations. You look at a company where they have rotation logs of seven days and you try to figure something that happened five weeks ago. Well, good luck with that. So in this case, again, we don't know initial success, we just know it probably happened years ago. The first sign of the attack that we found was actually the deployment of the logon script where on one of the machines it dropped the VinMail XE, the built in Windows mail client. Completely legitimate executable. This was not the malware itself. Now what the attacks actually did is that they didn't only copy the WinMail exe again completely legitimate Windows executable, but they also copied another DLL library that was malicious and put it next to this one. So the DLL they used in this case is the MSCORE SVC dll. We've seen this actually being used in multiple attacks by Chinese APTs. At this moment, I would say this is part of the curriculum of offensive security for these groups. So we are seeing this particular library being abused and hijacked all the time. So what I mean by being abused, this is classic example of the DLL sideloading I actually wrote explainer about what it is when this technique was relatively uncommon and rare. So if you Google DLL sideloading, the first head you are going to get is explaining that I've got really the way how this works is that you launch executable like the WinMail EXE and what it's going to do is that it has a list of libraries that it needs to function and it is going to look for those libraries in multiple locations. In the typical scenario is going to load them from system 32 folder. But there is one location that is the first one and that is the same folder where the executable is running from. So in the past many years, 20 years ago, we used this trick to pretty much fix DLL incompatibilities. If you needed different versions of the dll, you would just put it in the same folder as executable. Today it's mostly attackers that are using it because what they will do is that they have legitimate executable, they put malicious library with the same name and exported function name as the real library. So what's going to happen is you run the executable itself, it's going to find this malicious library next to it and it's going to execute it. So something that is much harder to detect unless your endpoint security is aware of this DLL sideloading technique. So again today I would say this is classic example and we are seeing this technique adopted by pretty much all the Chinese APT groups. So yeah, very common part of the playbook.

B

You mentioned that there are multiple elements to this and one of them is the extreme agent backdoor and that supports what, 58 or so commands. What do these things let the attackers do once they're in a compromised network?

A

Yes, so we are actually going through multiple stages. So the first one I was talking about, that's X Team Fuel, that's the first stage. Then we are going to have two additional loaders and finally the final payload is going to be, as you mentioned, the extreme agent. So in total there are 58 commands that it supports and it's everything from the system fingerprinting, getting detailed host information, resource enumerations or scanning local remote network resources, privilege escalation, different types of command execution, data exploitation, lateral movement, process injection. So everything you can imagine the way how this works is the command and control server doesn't actually send any code, it's just telling extreme agent the numbers. Yeah, so for example, if I'm the command and control server and I send just number 17 to the implant, it's going to give me back the configuration of the agent and every number means something. So the numerical IDs they are using are ranging from 0 to 66. Some of the numbers are missing, probably some kind of development and testing. So we documenting the 58 different commands that are available again from some very basic stuff to really advanced political movement and advanced execution and privilege escalation.

B

We'll be right back. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting you stop unknown executables cold. With Ring Fencing you control how trusted applications behave. And with threatlocker DAC defense against configurations you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo@threatlocker.com n2k today foreign. This is pro linebacker TJ Watt and I'm back with YPB by Abercrombie for another activewear drop. My second co design collection has new shorts and tanks that keep up with all my in season workouts and their new Restore collection is a game changer off the field too because even pro athletes like me need rest days. Shop YPB by Abercrombie in the app, online and in stores because your personal best is greater than anything. Well, you mentioned China. What else do we know about who might be behind this and what their goals are?

A

So we don't really know which apt group it is. We spend a lot of time on attribution, but to be honest, all the links that we found were so weak that we just decided to skip the attribution in this case because again, one of the techniques that we've seen here was the DLL sideloading. Today we see the same technique adopted by all the different Chinese APT groups. So instead of giving the attribution when it's really weak in this case we just decided we will attribute it to an interest, not to specific group. We have seen actually quite a lot of misattributions for Chinese apts in the region. One of the things they like to do is kind of leaving a little bit of like misdirection behind. So one thing we noticed is last year we documented a new group, Unfading Sea Haze. We mapped all the infrastructure, everything they are doing. We've seen multiple researchers that actually attributed that piece of malware only the small part of the operation that we uncovered to Russians because there were some comments in Asbuka, for example, that is very common, we see that all the time. So for example, in extreme malware I think there is one decryption string which is like USA is the best. Again these kind of misdirections and clues that they are like typical sign of the craftsmanship of the Chinese apts. So again the interest, again this was in the Philippines military company alliance and what they were going after aligns with the Chinese interests. But we cannot attribute this to any specific group.

B

Okay, well let's talk about persistence and stealth then. They were able to stay hidden for quite a long time. And you mentioned in the research that they were abusing some legitimate Windows services. Can you describe those for us?

A

Yes. So it was actually a really simple method that they are using. Instead of creating new services that can be detected, they were just looking for services that existed already on the Windows machine but were disabled or set up to run manual. So a couple of examples I remember there was the QT policy software deployment, the app management for example. There was also the software based management for shadow volume copies. Not the VSS itself, just the management layer itself. ISCSI service for example. And what they did was very simple. In some cases we've just seen them redirecting the DLL that will be loaded by the service. Very often they just removed like one letter. So for example, the Google policy software deployment is App mgmt DLL and they use appmgmts DLL. So something that is really hard to spot. In other cases they actually redirected. They either replaced the DLL file so they didn't touch the service configuration, but they changed the destination file or in other cases they actually changed the configuration. So kept the original library, put the new malicious library and change what the service itself is going to execute. So a bunch of both. We've seen different approaches. That's quite common. Now for the persistence itself, we can talk about loaders because that was also quite interesting how they handled this.

B

Hmm. Yeah, let's hear it.

A

Okay, so as I was saying, what they did is they hijacked one of the Windows services. At the end, what they were executing was the extreme loader and this loader is executed every 10 minutes by default. And all it's doing is that it is just looking at the file on the disk and that file contains encrypted collection of malware. What I mean by this is the extreme loader knew specifically that for example, the first four bytes of the file are going to define the length of the second segment that needs to be extracted from that file. And the remainder of the file after is Extreme agent. So again, it was not as simple as just decrypting the file. It was really one file that contained a collection of the malware and you needed to know exactly how to extract it from that file. So what it was doing, the extreme loader, the service itself is it would look at this file mui, the multi user interface file. It will delete the first four bytes, which is going to tell it the length of the second segment. The second segment itself is going to be extreme Reflective loader. So Reflective loader is going to be injected into the winlogon exe. So we are going to have the second malware that will be injected in the winlogon exe. What this one is going to do is that it will go back to the multi user interface file. It will read the last segment that is the X Team agent and then it's going to have a look. Do I have Microsoft Defender on the system? If yes, I'm going to inject it there. If not, I'm going to inject it into exploring EXE ExploreGrid EXE. This is the moment when we have the main backdoor, the extreme agent running. We can also talk about what the extreme agent itself was doing, how it was monitoring the environment, Extreme Agent and we've seen couple of different versions injected in different ways. All of this is documented in the research itself. What it was doing is that we've seen it also again supporting 58 different commands like anything you might wish to do. We've seen two special cases. One was that on a couple of different occasions it dropped another backdoor that we called Xtreme wizard wagging lightweight using the DLL sideloading. As I mentioned, again, part of this framework approach is that we've seen the consistent use of advanced techniques across different pieces of the malware. More importantly, this actually also deployed the X Dream keylogger which was responsible for getting the information out of the system. So the extreme keylogger is monitoring the system. It's looking for notifications that there is new user that has logged in. When the user logged in, the malware is going to wait for the child Process Explorer Exe meaning Interactive session. When this process is launched, the malware is going to decrypt the extreme keylogger again from the mui file and it's going to inject it into this new users Explorer exe. So we will have multiple injections. So the keylogger itself is of course going to lock all the keys. That's not surprising. But it's also going to monitor the clipboard, exfiltrate the data. It had a bunch of different functionality how to exfiltrate all this data.

B

Hmm. How do you rate the sophistication of this threat actor?

A

Very high. So again, it's one thing to develop piece of malware, especially if it's just variation of something that is on the GitHub. It is completely different to develop the malware from scratch. And again, if we are talking about advanced malware that is using DLL sideloading, running file less in memory, injecting itself into different processes, and you have multiple components that work together to achieve the goal like this, this was really sophisticated malware that we were monitoring.

B

Well, you mentioned that they were targeting an organization in the Philippines. Just more broadly, what should security teams be taking away from this research?

A

So broadly, what I would say is we have seen what we are seeing with APT groups are two different behaviors. The first one is how they move around the environment. And here at this stage they are heavily relying on living of the land attack techniques. They are using load bins, they are pretty much relying on the tools that exist on the network. So this initial stage, how they get in, how they move around, it's very similar to financially motivated threat actors. It is the same playbook effectively, but at the end, the final stage of the attack for them is continuous exfiltration of the data. And here is the difference between for example ransomware affiliates and APT groups. Because APT group for the final stage of the attack they are typically relying on the custom made malware, while the ransomware affiliates again typically stay with living of the land attack techniques. So what I would suggest or what typically are recommendations? Of course, the same defense in depth, multi layered security that is staying the same for a really long time and is still like the best recommendation, but try to proactively limit or block load bins because again that is how they get to that final stage. Another thing that we see all the time in our investigations, make sure that you have detection and response capabilities. So EDI XDR solutions, properly deployed and configured. One of the things that we are seeing is that most of the attacks originate from unmanaged devices so it's very common that again there is just no visibility into the attack until it's too late. And finally the second thing that we are also seeing with investigations quite frequently is there is EDR or XDR deployed in the environment but no one is monitoring it. So at the end when we look back after our investigation, very often we see there are red flags all over the place. All the security controls are working, have been raising alerts but there is no SOC or MDR team that would respond in the time. So all these get flags were just ignored or not monitored and that's how the attack succeeded at the end. So have the tools and make sure that you have people that have the skills and of course have the headcounts to actually respond to those.

B

Our thanks to Martin Zoujek from Bitdefender for joining us. The research is titled Eggstream Malware Unpacking a New APT Framework Targeting a Philippine Military Company. We'll have a link in the show notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode is produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. If you only attend one cyber security conference conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco.

A

Well, the holidays have come and gone.

B

Once again, but if you've forgotten to.

A

Get that special someone in your life.

B

A gift, well, Mint Mobile is extending their holiday offer of half off unlimited wireless. So here's the idea. You get it now, you call it an early present for next year.

A

What do you have to lose.

B

Give it a try@mintmobile.com Switch limited time.

A

50% off regular price for new customers. Upfront payment required $45 for 3 months.

B

$90 for 6 month or $180 for 12 month.

A

Plan taxes and fees.

B

Extra speeds may slow after 50 gigabytes.

A

Per month when network is busy.

B

See terms.