#ESETresearch In November 2020, a Windows executable called mozila.cpl was submitted to VirusTotal from Germany 🇩🇪. At that time, it had zero detection rate and it is still very low now. The file is a trojanized sqlite-3.31.1 library and we attribute
it to #Lazarus. @pkalnai 1/4
The library contains an embedded payload. A command line argument S0RMM-50QQE-F65DN-DCPYN-5QEQA must be provided for its decryption and additional parameters are passed to the payload. 2/4
The payload is an instance of the HTTP(s) uploader mentioned in the report by HvS-Consulting from December 2020. Its main purpose is to exfiltrate RAR archives from a victim’s system. hvs-consulting.de/public/ThreatR… 3/4
Code similarity is a common and powerful way to cluster malware samples and make connections between seemingly unrelated malware families. Although it sounds simple, it is actually a complex problem and is hard to automate at scale without generating false positives. 1/
Blindly trusting code similarity can get one to make connections when there are none. This yields erroneous conclusions and can create very wrong media headlines. 2/
An example of wrong use of code similarity was published by Cluster25 recently, where they connect #IsaacWiper to various other malware families. cluster25.io/2022/05/03/a-s… 3/
#ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore 🇸🇬. Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai@marc_etienne_ 1/8
The document, named BitazuCapital_JobDescription.pdf, reminds a strong similarity with a lure from Lazarus attacks using 2 TOY GUYS code-signing certificates for Windows, targeting aerospace and defense industries. welivesecurity.com/wp-content/upl… 2/8
Both decoys are PDF v1.5 documents produced by Microsoft Word 2016. They are obviously not identical, as one uses Colonna MT font while the other uses Calibri, but the title and ornaments on the front page have the same colors (#569bd5 and #aacc5db). 3/8
#ESETresearch identified an #Android banking trojan campaign active since October 2021, targeting 8 Malaysian banks. The malware is distributed via copycat websites of legitimate services – the majority being cleaning services available in Malaysia 🇲🇾. welivesecurity.com/2022/04/06/fak… 1/4
The copycat websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from #GooglePlay. However, these buttons do not actually lead to the Google Play store, but to malicious apps controlled by the attackers. 2/4
The malicious apps pretend to offer goods and services for purchase while matching the interface of the original stores. At the payment step, victims are presented with a fake FPX payment page, asked to select one of eight Malaysian banks, and enter their credentials. 3/4
Wslink’s multilayered #virtualmachine introduced a diverse arsenal of #obfuscation techniques, which
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5
We also described the code we developed to facilitate our research. It is provided to the community @github 3/5 github.com/eset/wslink-vm…
#BREAKING#ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine 🇺🇦. We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7
This new malware erases user data and partition information from attached drives. #ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations. 2/7
CaddyWiper does not share any significant code similarity with #HermeticWiper, #IsaacWiper or any other malware known to us. The sample we analyzed was not digitally signed. 3/7
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n
We observed the first sample today around 14h52 UTC / 16h52 local time. The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months. 2/n
The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd 3/n