đ CloudSEK has raised $19M Series B1 Round â Powering the Future of Predictive Cybersecurity
Read More
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a DemoResearchers: Rishika Desai, Anandeshwar Unnikrishnan
Category:
Adversary Intelligence |
Industry:
Multiple |
Motivation:
Financial |
Region:
Global |
Source:
D4 |
---|
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
CloudSEKâs contextual AI digital risk platform XVigil discovered a financially motivated threat actor group, dubbed Eternity, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
The activities of the original operators of the Eternity ransomware group can be traced back to a couple of years when they were actively operating under different names(Vulturi Stealer, Jester Malware, etc) on multiple forums. However the original threat actor operates on GitHub under the name of âL1ghtM4nâ, which can be interpreted as âLightManâ. The Github repository maintained by this actor, features various projects. Based on the activity of L1ghtM4n, CloudSEK researchers have mapped out the activities leading to the development of the Eternity Malware.
The ransomware group Eternity is active on multiple channels and has been providing various updates on all of them, which indicates that the group could be operating as a group. The ransomware builder that the group sold recently, is gaining traction across threat actors. CloudSEK researchers identified a GitHub repository by L1ghtM4n, who is suspected to be one of the operators of Eternity.
Recently, CloudSEKâs Threat Intelligence Research team discovered a sample of Eternity ransomware that encrypts the files and leaves a ransom note.
“pdf”, “pps”, “ppt”, “pptm”, “pptx”, “ps”, “psd”, “vcf”, “xlr”, “xls”, “xlsx”, “xlsm”, “ods”, “odp”, “indd”, “dwg”, “dxf”, “kml”, “kmz”, “gpx”, “cad”, “wmf”, “3fr”, “ari”, “arw”, “bay”, “bmp”, “cr2”, “crw”, “cxi”, “dcr”, “dng”, “eip”, “erf”, “fff”, “gif”, “iiq”, “j6i”, “k25”, “kdc”, “mef”, “mfw”, “mos”, “mrw”, “nef”, “nrw”, “orf”, “pef”, “png”, “raf”, “raw”, “rw2”, “rwl”, “rwz”, “sr2”, “srf”, “srw”, “x3f”, “jpg”, “jpeg”, “tga”, “tiff”, “tif”, “ai”, “3g2”, “3gp”, “asf”, “avi”, “flv”, “m4v”, “mkv”, “mov”, “mp4”, “mpg”, “rm”, “swf”, “vob”, “wmv”, “txt”, “php'”, “html”, “tar”, “gz”, “sql”, “js”, “css”, “txt”, “pdf”, “tgz”, “war”, “jar”, “java”, “class”, “ruby”, “py”, “cs”, “zip”, “db”, “doc”, “xls”, “properties”, “xml”, “jpg”, “jpeg”, “gif”, “mov”, “avi”, “wmv”, “mp3”, “mp4”, “wma”, “acc”, “wav”, “pem”, “pub”, “docx”, “apk”, “exe”, “dll”, “tpl”, “psd”, “asp”, “phtml”, “aspx”, “csv”, “sql”, “mp4”, “7z”, “rar”, “m4a”, “wma”, “avi”, “wmv”, “csv”, “d3dbsp”, “zip”, “sie”, “sum”, “ibank”, “t13”, “t12”, “qdf”, “gdb”, “tax”, “pkpass”, “bc6”, “bc7”, “bkp”, “qic”, “bkf”, “sidn”, “sidd”, “mddata”, “itl”, “itdb”, “icxs”, “hvpl”, “hplg”, “hkdb”, “mdbackup”, “syncdb”, “gho”, “cas”, “svg”, “map”, “wmo”, “itm”, “sb”, “fos”, “mov”, “vdf”, “ztmp”, “sis”, “sid”, “ncf”, “menu”, “layout”, “dmp”, “blob”, “esm”, “vcf”, “vtf”, “dazip”, “fpk”, “mlx”, “kf”, “iwd”, “vpk”, “tor”, “psk”, “rim”, “w3x”, “fsh”, “ntl”, “arch00”, “lvl”, “snx”, “cfr”, “ff”, “vpp_pc”, “lrf”, “m2”, “mcmeta”, “vfs0”, “mpqge”, “kdb”, “db0”, “dba”, “rofl”, “hkx”, “bar”, “upk”, “das”, “iwi”, “litemod”, “asset”, “forge”, “ltx”, “bsa”, “apk”, “re4”, “sav”, “lbf”, “slm”, “bik”, “epk”, “rgss3a”, “pak”, “big”, “wallet”, “wotreplay”, “xxx”, “desc”, “py”, “m3u”, “flv”, “js”, “css”, “rb”, “png”, “jpeg”, “txt”, “p7c”, “p7b”, “p12”, “pfx”, “pem”, “crt”, “cer”, “der”, “x3f”, “srw”, “pef”, “ptx”, “r3d”, “rw2”, “rwl”, “raw”, “raf”, “orf”, “nrw”, “mrwref”, “mef”, “erf”, “kdc”, “dcr”, “cr2”, “crw”, “bay”, “sr2”, “srf”, “arw”, “3fr”, “dng”, “jpe”, “jpg”, “cdr”, “indd”, “ai”, “eps”, “pdf”, “pdd”, “psd”, “dbf”, “mdf”, “wb2”, “rtf”, “wpd”, “dxg”, “xf”, “dwg”, “pst”, “accdb”, “mdb”, “pptm”, “pptx”, “ppt”, “xlk”, “xlsb”, “xlsm”, “xlsx”, “xls”, “wps”, “docm”, “docx”, “doc”, “odb”, “odc”, “odm”, “odp”, “ods”, “odt”, “odt”, “ods”, “odp”, “odm”, “odc”, “odb”, “doc”, “docx”, “docm”, “wps”, “xls”, “xlsx”, “xlsm”, “xlsb”, “xlk”, “ppt”, “pptx”, “pptm”, “mdb”, “accdb”, “pst”, “dwg”, “dxf”, “dxg”, “wpd”, “rtf”, “wb2”, “mdf”, “dbf”, “psd”, “pdd”, “pdf”, “eps”, “ai”, “indd”, “cdr”, “dng”, “3fr”, “arw”, “srf”, “sr2”, “mp3”, “bay”, “crw”, “cr2”, “dcr”, “kdc”, “erf”, “mef”, “mrw”, “nef”, “nrw”, “orf”, “raf”, “raw”, “rwl”, “rw2”, “r3d”, “ptx”, “pef”, “srw”, “x3f”, “der”, “cer”, “crt”, “pem”, “pfx”, “p12”, “p7b”, “p7c”, “jpg”, “png”, “jfif”, “jpeg”, “gif”, “bmp”, “exif”, “txt”, “3fr”, “accdb”, “ai”, “arw”, “bay”, “cdr”, “cer”, “cr2”, “crt”, “crw”, “dbf”, “dcr”, “der”, “dng”, “doc”, “docm”, “docx”, “dwg”, “dxf”, “dxg”, “eps”, “erf”, “indd”, “jpe”, “jpg”, “kdc”, “mdb”, “mdf”, “mef”, “mrw”, “nef”, “nrw”, “odb”, “odm”, “odp”, “ods”, “odt”, “orf”, “p12”, “p7b”, “p7c”, “pdd”, “pef”, “pem”, “pfx”, “ppt”, “pptm”, “pptx”, “psd”, “pst”, “ptx”, “r3d”, “raf”, “raw”, “rtf”, “rw2”, “rwl”, “srf”, “srw”, “wb2”, “wpd”, “wps”, “xlk”, “xls”, “xlsb”, “xlsm”, “xlsx”, “wb2”, “psd”, “p7c”, “p7b”, “p12”, “pfx”, “pem”, “crt”, “cer”, “der”, “pl”, “py”, “lua”, “css”, “js”, “asp”, “php”, “incpas”, “asm”, “hpp”, “h”, “cpp”, “c”, “7z”, “zip”, “rar”, “drf”, “blend”, “apj”, “3ds”, “dwg”, “sda”, “ps”, “pat”, “fxg”, “fhd”, “fh”, “dxb”, “drw”, “design”, “ddrw”, “ddoc”, “dcs”, “csl”, “csh”, “cpi”, “cgm”, “cdx”, “cdrw”, “cdr6”, “cdr5”, “cdr4”, “cdr3”, “cdr”, “awg”, “ait”, “ai”, “agd1”, “ycbcra”, “x3f”, “stx”, “st8”, “st7”, “st6”, “st5”, “st4”, “srw”, “srf”, “sr2”, “sd1”, “sd0”, “rwz”, “rwl”, “rw2”, “raw”, “raf”, “ra2”, “ptx”, “pef”, “pcd”, “orf”, “nwb”, “nrw”, “nop”, “nef”, “ndd”, “mrw”, “mos”, “mfw”, “mef”, “mdc”, “kdc”, “kc2”, “iiq”, “gry”, “grey”, “gray”, “fpx”, “fff”, “exf”, “erf”, “dng”, “dcr”, “dc2”, “crw”, “craw”, “cr2”, “cmt”, “cib”, “ce2”, “ce1”, “arw”, “3pr”, “3fr”, “mpg”, “jpeg”, “jpg”, “mdb”, “sqlitedb”, “sqlite3”, “sqlite”, “sql”, “sdf”, “sav”, “sas7bdat”, “s3db”, “rdb”, “psafe3”, “nyf”, “nx2”, “nx1”, “nsh”, “nsg”, “nsf”, “nsd”, “ns4”, “ns3”, “ns2”, “myd”, “kpdx”, “kdbx”, “idx”, “ibz”, “ibd”, “fdb”, “erbsql”, “db3”, “dbf”, “db-journal”, “db”, “cls”, “bdb”, “al”, “adb”, “backupdb”, “bik”, “backup”, “bak”, “bkp”, “moneywell”, “mmw”, “ibank”, “hbk”, “ffd”, “dgc”, “ddd”, “dac”, “cfp”, “cdf”, “bpw”, “bgt”, “acr”, “ac2”, “ab4”, “djvu”, “pdf”, “sxm”, “odf”, “std”, “sxd”, “otg”, “sti”, “sxi”, “otp”, “odg”, “odp”, “stc”, “sxc”, “ots”, “ods”, “sxg”, “stw”, “sxw”, “odm”, “oth”, “ott”, “odt”, “odb”, “csv”, “rtf”, “accdr”, “accdt”, “accde”, “accdb”, “sldm”, “sldx”, “ppsm”, “ppsx”, “ppam”, “potm”, “potx”, “pptm”, “pptx”, “pps”, “pot”, “ppt”, “xlw”, “xll”, “xlam”, “xla”, “xlsb”, “xltm”, “xltx”, “xlsm”, “xlsx”, “xlm”, “xlt”, “xls”, “xml”, “dotm”, “dotx”, “docm”, “docx”, “dot”, “doc”, “txt”, “odt”, “ods”, “odp”, “odm”, “odc”, “odb”, “doc”, “docx”, “docm”, “wps”, “xls”, “xlsx”, “xlsm”, “xlsb”, “xlk”, “ppt”, “pptx”, “pptm”, “mdb”, “accdb”, “pst”, “dwg”, “dxf”, “dxg”, “wpd”, “rtf”, “wb2”, “mdf”, “dbf”, “psd”, “pdd”, “pdf”, “eps”, “ai”, “indd”, “cdr”, “jpg”, “jpe”, “jpg”, “dng”, “3fr”, “arw”, “srf”, “sr2”, “bay”, “crw”, “cr2”, “dcr”, “kdc”, “erf”, “mef”, “mrw”, “nef”, “nrw”, “orf”, “raf”, “raw”, “rwl”, “rw2”, “r3d”, “ptx”, “pef”, “srw”, “x3f”, “der”, “cer”, “crt”, “pem”, “pfx”, “p12”, “p7b”, “p7c |
---|
After encryption, the malware proceeds to execute three functions: âDestroyCopy,â âSetStartup,â and âCreateUI.â
This function, as the name suggests, destroys the backup copy of the data via WMI. As shown in the following image, the malware accesses WMI âWin32_ShadowCopyâ class, and executes the method Delete(). Upon the execution of âDelete,â the backup data is deleted, and the user is prevented from performing a data backup to restore the locked files.
This function writes âEternityâ as a new value in âHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,â which points to the ransomware binary as shown in the image below. This will execute the ransomware each time the user logs into the system.
The image below is the registry snapshot of the Run Key after the execution of the malware sample âsam.exe.â
This function plays a crucial role in the ransomware operation. It initiates and launches a Windows Form as shown in the image below. A Windows Form is the UI element of desktop applications. The malware has a class named PayM3, which represents the Form. The CreateUI function instantiates the required data and executes the Form.
Once the Form is executed, a pop-up is generated as shown in the image below. The decryption logic is linked to this Form. The Form will start the decryption routine when the user submits the right password generated by the ransomware, as mentioned earlier. Since this Form is critical to the decryption of the data, the much sophisticated ransomware hooks the keyboard so that the user doesnât close the windows, even by accident.
The aforementioned Form implants a keyboard hook to intercept events on the userâs keyboard in the function PayM3_Load, as shown in the image below. The callback functions âLowLevelKeyboardProc” and âSetWindowsHookExâ are used to hook the user keyboard. And whenever the user presses a key, the system executes the function âcaptureKeyâ provided by the malware. Although a keyboard hook is a trivial mechanism in spyware and bots, in this instance, such hooks are used to achieve a different result.
The hook shown in the following image makes certain that the user does not terminate the Form is not explicitly or accidently. The hook is only interested in intercepting Modifier keys such as Shift/ Alt/ CTRL/ Windows keys. Usually, users leverage it to forcefully terminate a program or carry out other tasks like opening the Task Manager on Windows.
The operators of Eternity ransomware use this as a fail-safe feature for the malware by the adversary. The hook simply checks whether the pressed keys are modifier keys. If they are, then it simply executes a return, ensuring that the pressed keys are not registered by the system.
Upon submission of a valid password to the Form, it executes a function called âUndoAttackâ that decrypts the locked data.
Contact addresses found |
---|
TG: RecoverdataU
Mail:[email protected] |
Impact | Mitigation |
---|---|
|
|
Project Name | Associated Contact |
---|---|
Vulturi Stealer | XMPP: [email protected]
Email: [email protected] Telegram: @vulturi_project |
Jester Malware | Telegram: https://t.me/Jester_Stealer
Jabber: [email protected] TOX ID: BB9AFAD6FDE0FC274349742F9C96186FB5A29A16D7CFF554EBF243AE7834100E78A3CB568DA8 |
Eternity Malware | Telegram: @EternityTeams/ @EternityDeveloper/ @eternitymalware/ @Eternityprojects
Jabber: [email protected] Github: https://github.com/L1ghtM4n Email: [email protected] |
Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.
On 23 October 2023, CloudSEKâs Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
Researchers: Rishika Desai, Anandeshwar Unnikrishnan
Category:
Adversary Intelligence |
Industry:
Multiple |
Motivation:
Financial |
Region:
Global |
Source:
D4 |
---|
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
CloudSEKâs contextual AI digital risk platform XVigil discovered a financially motivated threat actor group, dubbed Eternity, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.
The activities of the original operators of the Eternity ransomware group can be traced back to a couple of years when they were actively operating under different names(Vulturi Stealer, Jester Malware, etc) on multiple forums. However the original threat actor operates on GitHub under the name of âL1ghtM4nâ, which can be interpreted as âLightManâ. The Github repository maintained by this actor, features various projects. Based on the activity of L1ghtM4n, CloudSEK researchers have mapped out the activities leading to the development of the Eternity Malware.
The ransomware group Eternity is active on multiple channels and has been providing various updates on all of them, which indicates that the group could be operating as a group. The ransomware builder that the group sold recently, is gaining traction across threat actors. CloudSEK researchers identified a GitHub repository by L1ghtM4n, who is suspected to be one of the operators of Eternity.
Recently, CloudSEKâs Threat Intelligence Research team discovered a sample of Eternity ransomware that encrypts the files and leaves a ransom note.
“pdf”, “pps”, “ppt”, “pptm”, “pptx”, “ps”, “psd”, “vcf”, “xlr”, “xls”, “xlsx”, “xlsm”, “ods”, “odp”, “indd”, “dwg”, “dxf”, “kml”, “kmz”, “gpx”, “cad”, “wmf”, “3fr”, “ari”, “arw”, “bay”, “bmp”, “cr2”, “crw”, “cxi”, “dcr”, “dng”, “eip”, “erf”, “fff”, “gif”, “iiq”, “j6i”, “k25”, “kdc”, “mef”, “mfw”, “mos”, “mrw”, “nef”, “nrw”, “orf”, “pef”, “png”, “raf”, “raw”, “rw2”, “rwl”, “rwz”, “sr2”, “srf”, “srw”, “x3f”, “jpg”, “jpeg”, “tga”, “tiff”, “tif”, “ai”, “3g2”, “3gp”, “asf”, “avi”, “flv”, “m4v”, “mkv”, “mov”, “mp4”, “mpg”, “rm”, “swf”, “vob”, “wmv”, “txt”, “php'”, “html”, “tar”, “gz”, “sql”, “js”, “css”, “txt”, “pdf”, “tgz”, “war”, “jar”, “java”, “class”, “ruby”, “py”, “cs”, “zip”, “db”, “doc”, “xls”, “properties”, “xml”, “jpg”, “jpeg”, “gif”, “mov”, “avi”, “wmv”, “mp3”, “mp4”, “wma”, “acc”, “wav”, “pem”, “pub”, “docx”, “apk”, “exe”, “dll”, “tpl”, “psd”, “asp”, “phtml”, “aspx”, “csv”, “sql”, “mp4”, “7z”, “rar”, “m4a”, “wma”, “avi”, “wmv”, “csv”, “d3dbsp”, “zip”, “sie”, “sum”, “ibank”, “t13”, “t12”, “qdf”, “gdb”, “tax”, “pkpass”, “bc6”, “bc7”, “bkp”, “qic”, “bkf”, “sidn”, “sidd”, “mddata”, “itl”, “itdb”, “icxs”, “hvpl”, “hplg”, “hkdb”, “mdbackup”, “syncdb”, “gho”, “cas”, “svg”, “map”, “wmo”, “itm”, “sb”, “fos”, “mov”, “vdf”, “ztmp”, “sis”, “sid”, “ncf”, “menu”, “layout”, “dmp”, “blob”, “esm”, “vcf”, “vtf”, “dazip”, “fpk”, “mlx”, “kf”, “iwd”, “vpk”, “tor”, “psk”, “rim”, “w3x”, “fsh”, “ntl”, “arch00”, “lvl”, “snx”, “cfr”, “ff”, “vpp_pc”, “lrf”, “m2”, “mcmeta”, “vfs0”, “mpqge”, “kdb”, “db0”, “dba”, “rofl”, “hkx”, “bar”, “upk”, “das”, “iwi”, “litemod”, “asset”, “forge”, “ltx”, “bsa”, “apk”, “re4”, “sav”, “lbf”, “slm”, “bik”, “epk”, “rgss3a”, “pak”, “big”, “wallet”, “wotreplay”, “xxx”, “desc”, “py”, “m3u”, “flv”, “js”, “css”, “rb”, “png”, “jpeg”, “txt”, “p7c”, “p7b”, “p12”, “pfx”, “pem”, “crt”, “cer”, “der”, “x3f”, “srw”, “pef”, “ptx”, “r3d”, “rw2”, “rwl”, “raw”, “raf”, “orf”, “nrw”, “mrwref”, “mef”, “erf”, “kdc”, “dcr”, “cr2”, “crw”, “bay”, “sr2”, “srf”, “arw”, “3fr”, “dng”, “jpe”, “jpg”, “cdr”, “indd”, “ai”, “eps”, “pdf”, “pdd”, “psd”, “dbf”, “mdf”, “wb2”, “rtf”, “wpd”, “dxg”, “xf”, “dwg”, “pst”, “accdb”, “mdb”, “pptm”, “pptx”, “ppt”, “xlk”, “xlsb”, “xlsm”, “xlsx”, “xls”, “wps”, “docm”, “docx”, “doc”, “odb”, “odc”, “odm”, “odp”, “ods”, “odt”, “odt”, “ods”, “odp”, “odm”, “odc”, “odb”, “doc”, “docx”, “docm”, “wps”, “xls”, “xlsx”, “xlsm”, “xlsb”, “xlk”, “ppt”, “pptx”, “pptm”, “mdb”, “accdb”, “pst”, “dwg”, “dxf”, “dxg”, “wpd”, “rtf”, “wb2”, “mdf”, “dbf”, “psd”, “pdd”, “pdf”, “eps”, “ai”, “indd”, “cdr”, “dng”, “3fr”, “arw”, “srf”, “sr2”, “mp3”, “bay”, “crw”, “cr2”, “dcr”, “kdc”, “erf”, “mef”, “mrw”, “nef”, “nrw”, “orf”, “raf”, “raw”, “rwl”, “rw2”, “r3d”, “ptx”, “pef”, “srw”, “x3f”, “der”, “cer”, “crt”, “pem”, “pfx”, “p12”, “p7b”, “p7c”, “jpg”, “png”, “jfif”, “jpeg”, “gif”, “bmp”, “exif”, “txt”, “3fr”, “accdb”, “ai”, “arw”, “bay”, “cdr”, “cer”, “cr2”, “crt”, “crw”, “dbf”, “dcr”, “der”, “dng”, “doc”, “docm”, “docx”, “dwg”, “dxf”, “dxg”, “eps”, “erf”, “indd”, “jpe”, “jpg”, “kdc”, “mdb”, “mdf”, “mef”, “mrw”, “nef”, “nrw”, “odb”, “odm”, “odp”, “ods”, “odt”, “orf”, “p12”, “p7b”, “p7c”, “pdd”, “pef”, “pem”, “pfx”, “ppt”, “pptm”, “pptx”, “psd”, “pst”, “ptx”, “r3d”, “raf”, “raw”, “rtf”, “rw2”, “rwl”, “srf”, “srw”, “wb2”, “wpd”, “wps”, “xlk”, “xls”, “xlsb”, “xlsm”, “xlsx”, “wb2”, “psd”, “p7c”, “p7b”, “p12”, “pfx”, “pem”, “crt”, “cer”, “der”, “pl”, “py”, “lua”, “css”, “js”, “asp”, “php”, “incpas”, “asm”, “hpp”, “h”, “cpp”, “c”, “7z”, “zip”, “rar”, “drf”, “blend”, “apj”, “3ds”, “dwg”, “sda”, “ps”, “pat”, “fxg”, “fhd”, “fh”, “dxb”, “drw”, “design”, “ddrw”, “ddoc”, “dcs”, “csl”, “csh”, “cpi”, “cgm”, “cdx”, “cdrw”, “cdr6”, “cdr5”, “cdr4”, “cdr3”, “cdr”, “awg”, “ait”, “ai”, “agd1”, “ycbcra”, “x3f”, “stx”, “st8”, “st7”, “st6”, “st5”, “st4”, “srw”, “srf”, “sr2”, “sd1”, “sd0”, “rwz”, “rwl”, “rw2”, “raw”, “raf”, “ra2”, “ptx”, “pef”, “pcd”, “orf”, “nwb”, “nrw”, “nop”, “nef”, “ndd”, “mrw”, “mos”, “mfw”, “mef”, “mdc”, “kdc”, “kc2”, “iiq”, “gry”, “grey”, “gray”, “fpx”, “fff”, “exf”, “erf”, “dng”, “dcr”, “dc2”, “crw”, “craw”, “cr2”, “cmt”, “cib”, “ce2”, “ce1”, “arw”, “3pr”, “3fr”, “mpg”, “jpeg”, “jpg”, “mdb”, “sqlitedb”, “sqlite3”, “sqlite”, “sql”, “sdf”, “sav”, “sas7bdat”, “s3db”, “rdb”, “psafe3”, “nyf”, “nx2”, “nx1”, “nsh”, “nsg”, “nsf”, “nsd”, “ns4”, “ns3”, “ns2”, “myd”, “kpdx”, “kdbx”, “idx”, “ibz”, “ibd”, “fdb”, “erbsql”, “db3”, “dbf”, “db-journal”, “db”, “cls”, “bdb”, “al”, “adb”, “backupdb”, “bik”, “backup”, “bak”, “bkp”, “moneywell”, “mmw”, “ibank”, “hbk”, “ffd”, “dgc”, “ddd”, “dac”, “cfp”, “cdf”, “bpw”, “bgt”, “acr”, “ac2”, “ab4”, “djvu”, “pdf”, “sxm”, “odf”, “std”, “sxd”, “otg”, “sti”, “sxi”, “otp”, “odg”, “odp”, “stc”, “sxc”, “ots”, “ods”, “sxg”, “stw”, “sxw”, “odm”, “oth”, “ott”, “odt”, “odb”, “csv”, “rtf”, “accdr”, “accdt”, “accde”, “accdb”, “sldm”, “sldx”, “ppsm”, “ppsx”, “ppam”, “potm”, “potx”, “pptm”, “pptx”, “pps”, “pot”, “ppt”, “xlw”, “xll”, “xlam”, “xla”, “xlsb”, “xltm”, “xltx”, “xlsm”, “xlsx”, “xlm”, “xlt”, “xls”, “xml”, “dotm”, “dotx”, “docm”, “docx”, “dot”, “doc”, “txt”, “odt”, “ods”, “odp”, “odm”, “odc”, “odb”, “doc”, “docx”, “docm”, “wps”, “xls”, “xlsx”, “xlsm”, “xlsb”, “xlk”, “ppt”, “pptx”, “pptm”, “mdb”, “accdb”, “pst”, “dwg”, “dxf”, “dxg”, “wpd”, “rtf”, “wb2”, “mdf”, “dbf”, “psd”, “pdd”, “pdf”, “eps”, “ai”, “indd”, “cdr”, “jpg”, “jpe”, “jpg”, “dng”, “3fr”, “arw”, “srf”, “sr2”, “bay”, “crw”, “cr2”, “dcr”, “kdc”, “erf”, “mef”, “mrw”, “nef”, “nrw”, “orf”, “raf”, “raw”, “rwl”, “rw2”, “r3d”, “ptx”, “pef”, “srw”, “x3f”, “der”, “cer”, “crt”, “pem”, “pfx”, “p12”, “p7b”, “p7c |
---|
After encryption, the malware proceeds to execute three functions: âDestroyCopy,â âSetStartup,â and âCreateUI.â
This function, as the name suggests, destroys the backup copy of the data via WMI. As shown in the following image, the malware accesses WMI âWin32_ShadowCopyâ class, and executes the method Delete(). Upon the execution of âDelete,â the backup data is deleted, and the user is prevented from performing a data backup to restore the locked files.
This function writes âEternityâ as a new value in âHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,â which points to the ransomware binary as shown in the image below. This will execute the ransomware each time the user logs into the system.
The image below is the registry snapshot of the Run Key after the execution of the malware sample âsam.exe.â
This function plays a crucial role in the ransomware operation. It initiates and launches a Windows Form as shown in the image below. A Windows Form is the UI element of desktop applications. The malware has a class named PayM3, which represents the Form. The CreateUI function instantiates the required data and executes the Form.
Once the Form is executed, a pop-up is generated as shown in the image below. The decryption logic is linked to this Form. The Form will start the decryption routine when the user submits the right password generated by the ransomware, as mentioned earlier. Since this Form is critical to the decryption of the data, the much sophisticated ransomware hooks the keyboard so that the user doesnât close the windows, even by accident.
The aforementioned Form implants a keyboard hook to intercept events on the userâs keyboard in the function PayM3_Load, as shown in the image below. The callback functions âLowLevelKeyboardProc” and âSetWindowsHookExâ are used to hook the user keyboard. And whenever the user presses a key, the system executes the function âcaptureKeyâ provided by the malware. Although a keyboard hook is a trivial mechanism in spyware and bots, in this instance, such hooks are used to achieve a different result.
The hook shown in the following image makes certain that the user does not terminate the Form is not explicitly or accidently. The hook is only interested in intercepting Modifier keys such as Shift/ Alt/ CTRL/ Windows keys. Usually, users leverage it to forcefully terminate a program or carry out other tasks like opening the Task Manager on Windows.
The operators of Eternity ransomware use this as a fail-safe feature for the malware by the adversary. The hook simply checks whether the pressed keys are modifier keys. If they are, then it simply executes a return, ensuring that the pressed keys are not registered by the system.
Upon submission of a valid password to the Form, it executes a function called âUndoAttackâ that decrypts the locked data.
Contact addresses found |
---|
TG: RecoverdataU
Mail:[email protected] |
Impact | Mitigation |
---|---|
|
|
Project Name | Associated Contact |
---|---|
Vulturi Stealer | XMPP: [email protected]
Email: [email protected] Telegram: @vulturi_project |
Jester Malware | Telegram: https://t.me/Jester_Stealer
Jabber: [email protected] TOX ID: BB9AFAD6FDE0FC274349742F9C96186FB5A29A16D7CFF554EBF243AE7834100E78A3CB568DA8 |
Eternity Malware | Telegram: @EternityTeams/ @EternityDeveloper/ @eternitymalware/ @Eternityprojects
Jabber: [email protected] Github: https://github.com/L1ghtM4n Email: [email protected] |