EagerBee (Malware Family)

EagerBee

VTCollection

According to Elastic, EagerBee loads additional capabilities using remotely-downloaded PE files, hosted in C2. However, its implementation and coding practices reveal a lack of advanced skills from the author, relying on basic techniques. During their research, they identified string formatting and underlying behavior that aligns with previous research attributed to a Chinese-speaking threat actor referred to as LuckyMouse (APT27, EmissaryPanda).

References

2023-10-03 ⋅ Elastic ⋅ Andrew Pease, Cyril François, Daniel Stepanic, Salim Bitam, Seth Goodwin
Introducing the REF5961 intrusion set (RUDEBIRD, DOWNTOWN, and EAGERBEE)
EagerBee SManager REF2924 REF5961

Yara Rules

[TLP:WHITE] win_eagerbee_auto (20230808 | Detects win.eagerbee.)

rule win_eagerbee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.eagerbee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagerbee"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 493bc7 753b 488b05???????? ff05???????? 488bcb ff90f8000000 488d1560d80100 }
            // n = 7, score = 100
            //   493bc7               | lea                 eax, [edi + 0x6e]
            //   753b                 | mov                 word ptr [esp + 0x56], cx
            //   488b05????????       |                     
            //   ff05????????         |                     
            //   488bcb               | mov                 word ptr [esp + 0x5e], ax
            //   ff90f8000000         | lea                 eax, [edi + 0x78]
            //   488d1560d80100       | mov                 word ptr [esp + 0x60], cx

        $sequence_1 = { 488d15b7aa0100 41b908000000 48c7c101000080 498943d8 c744245810000000 ff15???????? 85c0 }
            // n = 7, score = 100
            //   488d15b7aa0100       | dec                 ecx
            //   41b908000000         | mov                 ecx, esp
            //   48c7c101000080       | cmp                 eax, ebx
            //   498943d8             | dec                 esp
            //   c744245810000000     | lea                 ecx, [esp + 0x58]
            //   ff15????????         |                     
            //   85c0                 | inc                 ebp

        $sequence_2 = { 0f44d8 eb0b 8b7c245c e8???????? 8bd8 85db 7415 }
            // n = 7, score = 100
            //   0f44d8               | dec                 eax
            //   eb0b                 | lea                 edx, [esp + 0xd0]
            //   8b7c245c             | dec                 eax
            //   e8????????           |                     
            //   8bd8                 | mov                 ecx, edi
            //   85db                 | call                ebx
            //   7415                 | cmp                 eax, 0x7a

        $sequence_3 = { 744c 488d15be810200 488bcb 4d8bc7 e8???????? 488b05???????? }
            // n = 6, score = 100
            //   744c                 | dec                 eax
            //   488d15be810200       | mov                 eax, dword ptr [ebx + 0x30]
            //   488bcb               | cmp                 dword ptr [eax + 0x3c], esi
            //   4d8bc7               | nop                 dword ptr [eax]
            //   e8????????           |                     
            //   488b05????????       |                     

        $sequence_4 = { 8b01 eb06 ff90c0000000 410fb7cc eb3b 488bcf }
            // n = 6, score = 100
            //   8b01                 | jne                 0x80
            //   eb06                 | cmp                 dword ptr [edi + 8], esi
            //   ff90c0000000         | cmp                 dword ptr [esi + 0x16f4], eax
            //   410fb7cc             | jne                 0xffffffe0
            //   eb3b                 | mov                 eax, dword ptr [esi + 0x84]
            //   488bcf               | test                eax, eax

        $sequence_5 = { 85c0 751e 4c8b4c2448 4c8b442440 488d1517640100 488b4c2430 ff15???????? }
            // n = 7, score = 100
            //   85c0                 | inc                 esp
            //   751e                 | mov                 byte ptr [esp + 0x45], ah
            //   4c8b4c2448           | inc                 eax
            //   4c8b442440           | mov                 byte ptr [esp + 0x46], dh
            //   488d1517640100       | dec                 ecx
            //   488b4c2430           | mov                 ecx, dword ptr [eax + 8]
            //   ff15????????         |                     

        $sequence_6 = { 8d6f07 458d77c7 8d5fce 488d8c2470010000 664489bc2470010000 6689bc2472010000 }
            // n = 6, score = 100
            //   8d6f07               | mov                 byte ptr [esp + 0x90], 0x73
            //   458d77c7             | inc                 eax
            //   8d5fce               | mov                 byte ptr [esp + 0x134], bh
            //   488d8c2470010000     | mov                 byte ptr [esp + 0x135], 0x74
            //   664489bc2470010000     | mov    byte ptr [esp + 0x136], 0x4c
            //   6689bc2472010000     | mov                 byte ptr [esp + 0x137], 0x61

        $sequence_7 = { c68424c20000006f c68424c300000073 4088bc24c4000000 c68424c500000073 c68424c60000006f c68424c700000063 4488bc24c8000000 }
            // n = 7, score = 100
            //   c68424c20000006f     | mov                 dword ptr [esp + 0xc0], esi
            //   c68424c300000073     | mov                 word ptr [esp + 0xc4], dx
            //   4088bc24c4000000     | mov                 eax, 1
            //   c68424c500000073     | dec                 eax
            //   c68424c60000006f     | mov                 ebx, dword ptr [esp + 0x60]
            //   c68424c700000063     | dec                 eax
            //   4488bc24c8000000     | mov                 ebp, dword ptr [esp + 0x68]

        $sequence_8 = { 8bd8 ebbf ff90e0000000 8bd8 85db 0f8481020000 3bdf }
            // n = 7, score = 100
            //   8bd8                 | mov                 byte ptr [esp + 0x93], 0x3b
            //   ebbf                 | mov                 byte ptr [esp + 0x94], 0x20
            //   ff90e0000000         | mov                 byte ptr [esp + 0x8f], 0x65
            //   8bd8                 | mov                 byte ptr [esp + 0x90], 0x72
            //   85db                 | inc                 eax
            //   0f8481020000         | mov                 byte ptr [esp + 0x91], ch
            //   3bdf                 | call                dword ptr [eax + 0x58]

        $sequence_9 = { 4533c9 4533c0 48896c2458 4489642450 4489742454 48898698080000 c7869408000004000000 }
            // n = 7, score = 100
            //   4533c9               | lea                 ecx, [esp + 0x20]
            //   4533c0               | dec                 eax
            //   48896c2458           | lea                 edx, [0xe488]
            //   4489642450           | inc                 ecx
            //   4489742454           | mov                 eax, 0x40
            //   48898698080000       | dec                 eax
            //   c7869408000004000000     | lea    edx, [esp + 0x70]

    condition:
        7 of them and filesize < 422912
}

[TLP:WHITE] win_eagerbee_w0 (20231009 | No description)

rule win_eagerbee_w0 {
    meta:
        author = "Elastic Security"
        creation_date = "2023-09-04"
        last_modified = "2023-09-20"
        threat_name = "Windows.Trojan.EagerBee"
        reference_sample = "339e4fdbccb65b0b06a1421c719300a8da844789a2016d58e8ce4227cb5dc91b"
        license = "Elastic License v2"
        os = "windows"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagerbee"
        malpedia_rule_date = "20231009"
        malpedia_hash = ""
        malpedia_version = "20231009"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"

    strings:
        $dexor_config_file = { 48 FF C0 8D 51 FF 44 30 00 49 03 C4 49 2B D4 ?? ?? 48 8D 4F 01 48 }
        $parse_config = { 80 7C 14 20 3A ?? ?? ?? ?? ?? ?? 45 03 C4 49 03 D4 49 63 C0 48 3B C1 }
        $parse_proxy1 = { 44 88 7C 24 31 44 88 7C 24 32 48 F7 D1 C6 44 24 33 70 C6 44 24 34 3D 88 5C 24 35 48 83 F9 01 }
        $parse_proxy2 = { 33 C0 48 8D BC 24 F0 00 00 00 49 8B CE F2 AE 8B D3 48 F7 D1 48 83 E9 01 48 8B F9 }

    condition:
        2 of them
}

Download all Yara Rules

EagerBee Propose Change

References

Yara Rules

EagerBee