Author: ESET-welivesecurity

PlushDaemon compromises supply chain of Korean VPN service
ESET researchers have uncovered a previously undisclosed APT group, PlushDaemon, linked to China, which executed a supply-chain attack on a South Korean VPN developer in 2023. The attackers replaced the legitimate VPN installer with a malicious version that deployed a sophisticated backdoor known as SlowStepper. This backdoor features a comprehensive toolkit with over 30 components, allowing extensive cyber espionage capabilities.…
Read More
Summary: ESET researchers have uncovered a critical zero-day vulnerability (CVE-2024-9680) in Mozilla products, exploited by the Russia-aligned group RomCom. This vulnerability allows arbitrary code execution in the browser context, enabling the installation of RomCom’s backdoor. The exploit is linked to another Windows vulnerability (CVE-2024-49039), highlighting a sophisticated attack chain that requires no user interaction.…
Read More
Summary: ESET researchers have uncovered two Linux backdoors, WolfsBane and FireWood, attributed to the Gelsemium APT group, marking a significant shift in their malware strategy. WolfsBane is a Linux counterpart to the Windows Gelsevirine, while FireWood’s connection remains uncertain. These tools are primarily aimed at cyberespionage, targeting sensitive data and maintaining persistent access.…
Read More

Summary:

On October 28, 2024, a collaborative effort led by the Dutch National Police, FBI, and Eurojust resulted in the takedown of the RedLine Stealer malware-as-a-service operation, along with its clone META Stealer. This operation, named Operation Magnus, involved the seizure of servers and domains, and the arrest of individuals linked to the operation.…
Read More

Short Summary:

ESET researchers have uncovered new Rust-based tools associated with the Embargo ransomware, first detected in June 2024. The toolkit includes MDeployer, a malicious loader, and MS4Killer, an EDR killer, both tailored to disable security solutions in targeted environments. The active development of these tools indicates a sophisticated approach to ransomware deployment.…

Read More

Short Summary:

The article discusses the evolving tactics of the Telekopye scam toolkit, which has expanded its operations to target users of accommodation booking platforms like Booking.com and Airbnb. ESET researchers provide insights into how these cybercriminals optimize their scams to maximize financial gains, including the use of compromised accounts and sophisticated phishing techniques.…

Read More

Short Summary:

ESET researchers have uncovered a series of cyberespionage attacks attributed to the APT group GoldenJackal, targeting governmental organizations in Europe. The group has utilized sophisticated tools to compromise air-gapped systems, aiming to steal confidential information. This blogpost details the previously undocumented tools and their functionalities, highlighting GoldenJackal’s capabilities and persistence in targeted networks.…

Read More

Short Summary:

ESET researchers have identified a new China-aligned threat actor named CeranaKeeper, which has been targeting governmental institutions in Thailand since 2023. This group utilizes advanced techniques and tools, including revamped components previously linked to Mustang Panda, to exfiltrate sensitive data through legitimate cloud services like Dropbox and OneDrive.…

Read More
Short Summary

ESET researchers have documented the activities of the CosmicBeetle threat actor, focusing on its newly developed ScRansom ransomware. This group has replaced its previous ransomware, Scarab, with ScRansom, which is continuously being improved. CosmicBeetle has been observed deploying ScRansom to SMBs globally while attempting to leverage the reputation of established ransomware gangs like LockBit and RansomHub.…

Read More

Short Summary:

ESET researchers identified a code execution vulnerability (CVE-2024-7262) in WPS Office for Windows, exploited by the APT-C-60 group to target East Asian countries. A subsequent analysis revealed another vulnerability (CVE-2024-7263). Both vulnerabilities have been patched, and this blog post discusses the technical details of the findings.…

Read More

Short Summary:

ESET researchers have identified a crimeware campaign targeting clients of three Czech banks, utilizing a novel Android malware named NGate. This malware relays data from victims’ payment cards to attackers, enabling unauthorized ATM withdrawals without the need for rooting the victims’ devices.

Key Points:

Attackers employed social engineering, phishing, and Android malware in a unique attack scenario.…
Read More

Short Summary:

This blogpost discusses a novel phishing campaign targeting mobile users, particularly clients of Czech banks, through the use of Progressive Web Applications (PWAs) and WebAPKs. The campaign employs social engineering tactics to deceive users into installing malicious applications that mimic legitimate banking apps, leading to credential theft without traditional security warnings.…

Read More

“`html Short Summary:

ESET Research identified multiple phishing campaigns targeting small and medium-sized businesses in Poland during May 2024, utilizing ModiLoader to distribute various malware families, including Rescoms, Agent Tesla, and Formbook. The campaigns leveraged compromised email accounts to enhance credibility and facilitate data exfiltration.

Key Points:

ESET detected nine notable ModiLoader phishing campaigns in May 2024 across Poland, Romania, and Italy.…
Read More

In the past few months, the Telegram clicker game Hamster Kombat has taken the world of cryptocurrency game enthusiasts by storm. Even though the gameplay, which mostly entails repeatedly tapping the screen of one’s mobile device, might be rather simple, players are after something more: the possibility of earning big once Hamster Kombat’s creators unveil the promised new cryptocoin tied to the game.…

Read More

ESET Research

ESET researchers discovered a zero-day Telegram for Android exploit that allows sending malicious files disguised as videos

Lukas Stefanko

22 Jul 2024  •  , 6 min. read

ESET researchers discovered a zero-day exploit that targets Telegram for Android, which appeared for sale for an unspecified price in an underground forum post from June 6th, 2024.…

Read More

Malware research involves studying threat actor TTPs, mapping infrastructure, analyzing novel techniques… And while most of these investigations build on existing research, sometimes they start from a hunch, something that looks too simple. At the end of 2023, we stumbled upon an installer named HotPage.exe that deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers’ network traffic.…

Read More

ESET researchers have identified five campaigns targeting Android users with trojanized apps. Most probably carried out by the Arid Viper APT group, these campaigns started in 2022 and three of them are still ongoing at the time of the publication of this blogpost. They deploy multistage Android spyware, which we named AridSpy, that downloads first- and second-stage payloads from its C&C server to assist it avoiding detection.…

Read More

ESET researchers discovered two previously unknown backdoors – which we named LunarWeb and LunarMail – compromising a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. We believe that the Lunar toolset has been used since at least 2020 and, given the similarities between the tools’ tactics, techniques, and procedures (TTPs) and past activities, we attribute these compromises to the infamous Russia-aligned cyberespionage group Turla, with medium confidence.…

Read More