EggStreme Malware: Inside a New APT Framework Targeting the Philippine Military

Unpacking the EggStreme Malware Framework

• 💡 The EggStreme malware is a sophisticated, multi-stage framework developed by an Advanced Persistent Threat (APT) group, designed for long-term espionage.
• 🎯 Each component of the framework has a specific, small goal, making detection difficult until all parts are combined to reveal its powerful capabilities.
• 🔍 The name "EggStreme" originated from internal naming conventions for its various components, such as EggStreme Fuel, EggStreme Loader, and EggStreme Agent, though the exact origin of the name is unclear.

Fileless Execution and Detection Challenges

• 🧠 Fileless malware execution means the malicious code does not touch the disk; instead, it runs in memory, often injected into legitimate processes.
• ⚠️ This fileless nature presents significant detection challenges, as scanning memory is resource-intensive for endpoint security solutions.
• 🛡️ EggStreme specifically targets legitimate processes for injection, such as Microsoft Defender or explorer.exe, making its behavior harder to distinguish from normal system activity.

Infection Chain and DLL Sideloading

• ❓ The initial access vector for EggStreme remains unknown, likely occurring years prior to discovery, with the first detected sign being the deployment of a legitimate Windows executable, vinmail.exe.
• 🧩 Attackers paired vinmail.exe with a malicious DLL, mscore_svc.dll, in the same directory, exploiting DLL sideloading.
• 📈 This technique abuses how executables load libraries, causing them to load the malicious DLL instead of the legitimate one, a common tactic among Chinese APT groups.

EggStreme Agent and Capabilities

• ⚙️ The final payload, the EggStreme Agent, supports approximately 58 commands for system fingerprinting, reconnaissance, privilege escalation, data exfiltration, and lateral movement.
• 💻 Commands are numerical IDs, with the Command and Control server sending numbers to instruct the agent, ranging from basic information gathering to advanced execution techniques.
• 🔑 The framework also deploys an EggStreme Keylogger which monitors keystrokes, clipboard data, and exfiltrates sensitive information, often injected into new user sessions.

Persistence and Stealth Techniques

• 🛠️ Attackers achieved persistence by hijacking legitimate, but disabled or manually set, Windows services like Group Policy Software Deployment and iSCSI service.
• 📄 They manipulated these services by redirecting DLL loading paths or replacing DLL files, often with minor alterations (e.g., adding a single letter to a filename) to evade detection.
• 🔄 A loader component, executed every 10 minutes, reads an encrypted file containing multiple malware components, extracting and reflecting them into memory.

Threat Actor Sophistication and Recommendations

• 🚀 The development of EggStreme from scratch, utilizing advanced techniques like DLL sideloading and in-memory execution, indicates a very high level of sophistication.
• 🇨🇳 While attribution to a specific group is difficult due to shared tactics among Chinese APTs, the targeting of a Philippine military company aligns with Chinese geopolitical interests.
• 🛡️ Security teams should focus on defense-in-depth, proactively blocking Living Off The Land (LOTL) techniques, ensuring robust detection and response (EDR/XDR) capabilities, and critically, monitoring alerts with skilled personnel to act on red flags.