The #WhisperGate malware discovered by Microsoft contains MSIL stub commonly used by commodity e-crime malware. We observed samples using the same stub that drop different malware families such as Remcos RAT, FormBook and others. #ESETresearch 1/5
We believe that attackers used FUD crypting service from darkweb to make #WhisperGate malware undetected. This service has been abusing cloud providers like GitHub, Bitbucket, Discord to store its payload in encrypted form. 2/5
Automatic detection MSIL/TrojanDownloader.Agent_AGen.FP was made 4 days prior to the attack in #Ukraine 🇺🇦 based on samples with similar MSIL stub used in an unrelated campaign. ESET solutions successfully detected stage2 malware but stage1 was not observed in ESET telemetry 3/5
It is likely that attackers were trying to avoid existing detections at the last moment before the attack, that’s why they used third party criminal services 4/5
As such, pivots on the first steps of the chain are likely to lead to other samples packed with the same crypting service but, unrelated to #WhisperGate wiping malware #ESETresearch 5/5

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

Jan 18,
#ESETresearch investigated Donot Team’s (also known as APT-C-35 and SectorE02) #cyberespionage campaigns targeting military organizations, governments, Ministries of Foreign Affairs, and embassies of countries in South Asia. welivesecurity.com/2022/01/18/don… 1/5
A recent report by #Amnesty International links the group’s malware to an Indian cybersecurity company that be selling the spyware to entities in the region. 2/5
ESET’s investigation spans from September 2020 to October 2021 and details variants of the yty malware framework used to target entities in Bangladesh 🇧🇩, Sri-Lanka 🇱🇰, Pakistan 🇵🇰 and Nepal 🇳🇵. But also embassies in the Middle East, Europe, North and South America. 3/5
Read 5 tweets
Dec 13, 2021
#ESETresearch identified malicious MS Excel documents automatically downloaded upon visiting the websites of cryptocurrencies #HotDoge, www.hotdogetoken[.]com, and #DonutCatBSC, www.donutcatbsc[.]com. Opening the document led to stealing the victim’s private information. 1/6
We contacted @HotDogeTokenBSC and provided them with the information to remediate the threat. They resolved the issue and the websites no longer serve the malicious documents. 2/6
We attribute this campaign to the 🇰🇵North Korea-linked APT group #Kimsuky. The Excel document contains a malicious Excel V4.0 macro that uses the #Squiblydoo technique to download and execute an XML file with a VBS scriptlet. 3/6
Read 6 tweets
Dec 1, 2021
#ESETresearch has published a comprehensive whitepaper comparing all known malware frameworks designed to breach air-gapped networks. Read more: welivesecurity.com/2021/12/01/jum… @adorais @0xfmz 1/7
@adorais @0xfmz In the first half of 2020 alone, 4 previously unknown malicious frameworks emerged, bringing the total, by our count, to 17. This sparked our interest into doing this research. 2/7
@adorais @0xfmz This work allowed us to formalize what defines an air-gapped network malware and to propose a terminology to accurately describe the various components at play. 3/7
Read 7 tweets
Nov 10, 2021
#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components. @cherepanov74 1/5
Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder. 2/5
Once started, the idahelper.dll attempts to download and execute a next-stage payload from https://www[.]devguardmap[.]org/board/board_read.asp?boardid=01 3/5
Read 5 tweets
Oct 8, 2021
#ESETresearch analyzed #FontOnLake, a previously unknown #malware family that utilizes custom and well-designed modules, targeting #Linux systems.
welivesecurity.com/2021/10/07/fon…
@HrckaVladislav 1/6
Modules are under development and provide #remoteaccess to the operators, collect credentials + serve as a proxy server. To do this, #FontOnLake uses modified legitimate binaries adjusted to load further components, its presence is always accompanied by a #rootkit. 2/6
The sneaky nature of #FontOnLake tools, along with advanced design and low prevalence suggest usage in targeted attacks. #ESETresearch believes its operators are extra cautious as almost all samples seen use unique C&C servers with varying non-standard ports. 3/6
Read 6 tweets
Oct 7, 2021
Join #ESETresearch at #vblocalhost! Starting today, you can watch @RighardZw in a live presentation looking at internal attack scenarios and highlighting issues that have remained “foolishly ignored” for years (Thu 20:00 - 20:30 UTC). 1/4
On Friday, @zuzana_hromcova will walk the audience through the current landscape of IIS threats – ranging from traffic redirectors to backdoors – and share the essentials of reverse-engineering native IIS malware (Fri 17:45 - 18:15 UTC). 2/4
On demand you can watch @cherepanov74 and @Robert_Lipovsky as they guide you through the US #Sandworm indictment; @LukasStefanko will discuss the hidden cost of #Android #stalkerware. Finally, there is @RighardZw again in the panel debate. 3/4
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(