ESET research Profile picture
Security research and breaking news straight from ESET Research Labs.
May 20 6 tweets 6 min read
#BREAKING #Sandworm continues attacks in Ukraine 🇺🇦. #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks. This updated piece of the puzzle is malware
@_CERT_UA calls #ArguePatch. ArguePatch was used to launch #CaddyWiper. #WarInUkraine 1/6 The #Industroyer2 attacks used a patched version of @HexRaysSA IDA Pro’s remote debug server (win32_remote.exe). It was modified to include code to decrypt and run #CaddyWiper from an external file. 2/6
May 12 4 tweets 2 min read
#ESETresearch In November 2020, a Windows executable called mozila.cpl was submitted to VirusTotal from Germany 🇩🇪. At that time, it had zero detection rate and it is still very low now. The file is a trojanized sqlite-3.31.1 library and we attribute
it to #Lazarus. @pkalnai 1/4 Image The library contains an embedded payload. A command line argument S0RMM-50QQE-F65DN-DCPYN-5QEQA must be provided for its decryption and additional parameters are passed to the payload.  2/4
May 4 9 tweets 3 min read
Code similarity is a common and powerful way to cluster malware samples and make connections between seemingly unrelated malware families. Although it sounds simple, it is actually a complex problem and is hard to automate at scale without generating false positives. 1/ Blindly trusting code similarity can get one to make connections when there are none. This yields erroneous conclusions and can create very wrong media headlines. 2/ Image
May 4 8 tweets 4 min read
#ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore 🇸🇬. Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai @marc_etienne_ 1/8 The document, named BitazuCapital_JobDescription.pdf, reminds a strong similarity with a lure from Lazarus attacks using 2 TOY GUYS code-signing certificates for Windows, targeting aerospace and defense industries. welivesecurity.com/wp-content/upl… 2/8
Apr 6 4 tweets 5 min read
#ESETresearch identified an #Android banking trojan campaign active since October 2021, targeting 8 Malaysian banks. The malware is distributed via copycat websites of legitimate services – the majority being cleaning services available in Malaysia 🇲🇾. welivesecurity.com/2022/04/06/fak… 1/4 The copycat websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from #GooglePlay. However, these buttons do not actually lead to the Google Play store, but to malicious apps controlled by the attackers. 2/4
Mar 28 5 tweets 4 min read
#ESETresearch is offering you a #behindthescenes look at the diligent work required to see through the
obfuscation techniques used in the recently described #Wslink, unique and undocumented
malicious loader that runs as a server. 1/5
@HrckaVladislav
welivesecurity.com/2022/03/28/und… Wslink’s multilayered #virtualmachine introduced a diverse arsenal of #obfuscation techniques, which
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5
Mar 14 7 tweets 4 min read
#BREAKING #ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine 🇺🇦. We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7 This new malware erases user data and partition information from attached drives. #ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations. 2/7
Feb 23 7 tweets 2 min read
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n We observed the first sample today around 14h52 UTC / 16h52 local time. The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months. 2/n
Feb 22 4 tweets 3 min read
In T3 2021, #ESETtelemetry saw a decline in all detections of monitored #macOS threats by 5.9%, compared to T2. The biggest drop was seen towards the end of December 2021, probably attributed to various festivities around the world. 🎅🕎 #ESETresearch 1/4 The decline was visible in nearly all monitored categories – Potentially Unwanted Applications (-22.5%), Adware (-10.6%) and trojans (-6.2%). Only Potentially Unsafe Applications saw a negligible uptick in T3. 2/4
Jan 18 5 tweets 3 min read
#ESETresearch investigated Donot Team’s (also known as APT-C-35 and SectorE02) #cyberespionage campaigns targeting military organizations, governments, Ministries of Foreign Affairs, and embassies of countries in South Asia. welivesecurity.com/2022/01/18/don… 1/5 A recent report by #Amnesty International links the group’s malware to an Indian cybersecurity company that be selling the spyware to entities in the region. 2/5
Jan 17 5 tweets 3 min read
The #WhisperGate malware discovered by Microsoft contains MSIL stub commonly used by commodity e-crime malware. We observed samples using the same stub that drop different malware families such as Remcos RAT, FormBook and others. #ESETresearch 1/5
We believe that attackers used FUD crypting service from darkweb to make #WhisperGate malware undetected. This service has been abusing cloud providers like GitHub, Bitbucket, Discord to store its payload in encrypted form. 2/5
Dec 13, 2021 6 tweets 4 min read
#ESETresearch identified malicious MS Excel documents automatically downloaded upon visiting the websites of cryptocurrencies #HotDoge, www.hotdogetoken[.]com, and #DonutCatBSC, www.donutcatbsc[.]com. Opening the document led to stealing the victim’s private information. 1/6 We contacted @HotDogeTokenBSC and provided them with the information to remediate the threat. They resolved the issue and the websites no longer serve the malicious documents. 2/6
Dec 1, 2021 7 tweets 6 min read
#ESETresearch has published a comprehensive whitepaper comparing all known malware frameworks designed to breach air-gapped networks. Read more: welivesecurity.com/2021/12/01/jum… @adorais @0xfmz 1/7 @adorais @0xfmz In the first half of 2020 alone, 4 previously unknown malicious frameworks emerged, bringing the total, by our count, to 17. This sparked our interest into doing this research. 2/7
Nov 10, 2021 5 tweets 3 min read
#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components. @cherepanov74 1/5 Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder. 2/5
Oct 27, 2021 7 tweets 3 min read
#ESETresearch has discovered a unique and undescribed #loader for Windows binaries that, unlike other such loaders, runs as a server and executes received modules in memory. We have named this new malware #Wslink after one of its DLLs. 1/7 @HrckaVladislav welivesecurity.com/2021/10/27/wsl… The initial compromise vector is not known, and we have seen only a few hits in our telemetry in the past two years, with detections in Central Europe, North America, and the Middle East. 2/7
Oct 8, 2021 6 tweets 6 min read
#ESETresearch analyzed #FontOnLake, a previously unknown #malware family that utilizes custom and well-designed modules, targeting #Linux systems.
welivesecurity.com/2021/10/07/fon…
@HrckaVladislav 1/6 Modules are under development and provide #remoteaccess to the operators, collect credentials + serve as a proxy server. To do this, #FontOnLake uses modified legitimate binaries adjusted to load further components, its presence is always accompanied by a #rootkit. 2/6
Oct 7, 2021 4 tweets 4 min read
Join #ESETresearch at #vblocalhost! Starting today, you can watch @RighardZw in a live presentation looking at internal attack scenarios and highlighting issues that have remained “foolishly ignored” for years (Thu 20:00 - 20:30 UTC). 1/4 On Friday, @zuzana_hromcova will walk the audience through the current landscape of IIS threats – ranging from traffic redirectors to backdoors – and share the essentials of reverse-engineering native IIS malware (Fri 17:45 - 18:15 UTC). 2/4
Sep 3, 2021 11 tweets 4 min read
#ESETresearch confirms in-the-wild use of the PRIVATELOG/STASHLOG malware reported by @Int2e_ and @MalwareMechanic from @FireEye earlier this week. Findings 👇 @0xfmz 1/11 fireeye.com/blog/threat-re… We saw this malware family used in a targeted attack against a high profile company in 🇯🇵 Japan in May 2021. We recovered 2 samples that match FireEye's description of PRIVATELOG and STASHLOG, along with a previously unknown sample we call SPARKLOG 2/11
Aug 24, 2021 6 tweets 3 min read
#ESETresearch has recently discovered a new undocumented modular backdoor, SideWalk, that was used by an APT group we named SparklingGoblin during one of its recent campaigns targeting a US-based computer retail company 🇺🇸. welivesecurity.com/2021/08/24/sid… @passil_t @mathieutartare 1/6 SideWalk is a modular backdoor that can dynamically load additional modules sent from the C&C server, makes use of Google Docs as a dead drop resolver, and @Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy. 2/6
Apr 30, 2021 5 tweets 2 min read
#ESETresearch confirms that malicious digitally signed AnyDesk installers are distributed from anydesk.s3-us-west-1.amazonaws[.]com. Our telemetry shows that victims are redirected there from three attacker-controlled domains: zgnuo[.]com, clamspit[.]com and domohop[.]com. 1/4 Image The three domains resolve to 176.111.174[.]127, 176.111.174[.]129 and 176.111.174[.]130, in the same IP range as the C&C server, 176.111.174[.]125. It seems victims, mainly located in North America, are redirected through malicious ads from different legitimate websites. 2/4
Mar 2, 2021 10 tweets 4 min read
We have received a lot questions about the Silver Sparrow malware for macOS after a publication by @redcanary. #ESETresearch has investigated and found that, far from speculations about nation-state malware, it is likely related to adware and pay-per-install schemes. 1/10 We have first seen Silver Sparrow in the wild early September. Our telemetry (although limited) showed under 50 instances of this threat, spread all around the globe. We have monitored the configuration file and never seen any actual payload delivered. 2/10