In T3 2021, #ESETtelemetry saw a decline in all detections of monitored #macOS threats by 5.9%, compared to T2. The biggest drop was seen towards the end of December 2021, probably attributed to various festivities around the world. 🎅🕎 #ESETresearch 1/4
The decline was visible in nearly all monitored categories – Potentially Unwanted Applications (-22.5%), Adware (-10.6%) and trojans (-6.2%). Only Potentially Unsafe Applications saw a negligible uptick in T3. 2/4
While overall lower detection numbers could be seen as something positive, more than 36% of all macOS threats ESET detected in T3 were trojans and overall macOS Trojan detections rose by 126% from 2020 to 2021. 3/4
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n
We observed the first sample today around 14h52 UTC / 16h52 local time. The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months. 2/n
The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd 3/n
#ESETresearch investigated Donot Team’s (also known as APT-C-35 and SectorE02) #cyberespionage campaigns targeting military organizations, governments, Ministries of Foreign Affairs, and embassies of countries in South Asia. welivesecurity.com/2022/01/18/don… 1/5
A recent report by #Amnesty International links the group’s malware to an Indian cybersecurity company that be selling the spyware to entities in the region. 2/5
ESET’s investigation spans from September 2020 to October 2021 and details variants of the yty malware framework used to target entities in Bangladesh 🇧🇩, Sri-Lanka 🇱🇰, Pakistan 🇵🇰 and Nepal 🇳🇵. But also embassies in the Middle East, Europe, North and South America. 3/5
The #WhisperGate malware discovered by Microsoft contains MSIL stub commonly used by commodity e-crime malware. We observed samples using the same stub that drop different malware families such as Remcos RAT, FormBook and others. #ESETresearch 1/5
We believe that attackers used FUD crypting service from darkweb to make #WhisperGate malware undetected. This service has been abusing cloud providers like GitHub, Bitbucket, Discord to store its payload in encrypted form. 2/5
Automatic detection MSIL/TrojanDownloader.Agent_AGen.FP was made 4 days prior to the attack in #Ukraine 🇺🇦 based on samples with similar MSIL stub used in an unrelated campaign. ESET solutions successfully detected stage2 malware but stage1 was not observed in ESET telemetry 3/5
#ESETresearch identified malicious MS Excel documents automatically downloaded upon visiting the websites of cryptocurrencies #HotDoge, www.hotdogetoken[.]com, and #DonutCatBSC, www.donutcatbsc[.]com. Opening the document led to stealing the victim’s private information. 1/6
We contacted @HotDogeTokenBSC and provided them with the information to remediate the threat. They resolved the issue and the websites no longer serve the malicious documents. 2/6
We attribute this campaign to the 🇰🇵North Korea-linked APT group #Kimsuky. The Excel document contains a malicious Excel V4.0 macro that uses the #Squiblydoo technique to download and execute an XML file with a VBS scriptlet. 3/6
@adorais@0xfmz In the first half of 2020 alone, 4 previously unknown malicious frameworks emerged, bringing the total, by our count, to 17. This sparked our interest into doing this research. 2/7
@adorais@0xfmz This work allowed us to formalize what defines an air-gapped network malware and to propose a terminology to accurately describe the various components at play. 3/7
#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components. @cherepanov74 1/5
Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder. 2/5
Once started, the idahelper.dll attempts to download and execute a next-stage payload from https://www[.]devguardmap[.]org/board/board_read.asp?boardid=01 3/5