A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Date Activity Author 18/05/2022 Report delivery Luigi Martire, Carmelo Ragusa 4
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Table of Content Table of Content ........................................................................................................................................................................ 5 Introduction ................................................................................................................................................................................ 6 Eternity/Jester Group................................................................................................................................................................. 7 The Arsenal ............................................................................................................................................................................... 11 Jester Stealer ......................................................................................................................................................................... 12 Web Injection Module .................................................................................................................................................... 17 Config Decryption ........................................................................................................................................................... 18 Merlynn Clipper .................................................................................................................................................................... 20 Config Decryption ........................................................................................................................................................... 23 Trinity Miner ......................................................................................................................................................................... 24 Lilith Botnet........................................................................................................................................................................... 26 Config Decryption ........................................................................................................................................................... 31 February 2022: the rebrand ................................................................................................................................................... 32 Eternity Worm ...................................................................................................................................................................... 34 Eternity Ransomware .......................................................................................................................................................... 39 Conclusion ................................................................................................................................................................................ 43 Appendix ................................................................................................................................................................................... 44 Indicators of Compromise .................................................................................................................................................. 44 Jester Stealer: .................................................................................................................................................................. 44 Merlynn Clipper: ............................................................................................................................................................. 46 Trinity Miner: ................................................................................................................................................................... 46 Lilith Botnet: .................................................................................................................................................................... 46 Eternity Ransomware: .................................................................................................................................................... 46 Eternity Worm: ................................................................................................................................................................ 46 Yara Rules ............................................................................................................................................................................. 47 5
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Introduction Every month new threats are developed and sold in the underground forums, and each of them can grow and become a severe risk to the security. Indeed, monitoring the darknet is fundamental for threat research and proactive defense. During our investigations, we at Yoroi Malware ZLab have found a new emerging cyber-criminal group with great potential to become an essential factor inside the cyber security threat landscape. This threat actor calls itself “Eternity Group,” previously “Jester Group”; we internally tracked it as “TH-320”. The group has been active at least from July/August 2021, when they developed and released the first malware, Jester Stealer, with an extensive sponsorship campaign inside the main underground forums. Then, the group's capabilities increased, also releasing other malicious software. For all these reasons, we decided to dig into these malicious operations and create a comprehensive whitepaper where we can share all the information about the threat actor. 6
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Eternity/Jester Group During our investigation of this threat, it emerged that TH-320 had covered a large field of malware writing during the activity period. Their primary objective is to make money from selling and using malware. Therefore, we tried to summarize all the information classified the TTPs in the following flashcard and the history of the entire group in a comprehensive timeline: Figure 1: Eternity Group (aka, TH-320, Jester Group) The first activities date back to July/August 2021, when the group emerged on 16 different forums and started to publish information about their malicious products. 7
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 2: Advertising panel of the Eternity Group inside the darknet forums The group writes both in English and Russian, so we believe they could have connections with the Russian environment. Furthermore, their activity isn’t limited to just the development of Malware but also selling private courses and manuals. That model is quite helpful for two reasons: the first one is the fast-making money, and the second one is that they can leverage the course materials to find other components for their group. An example of the interaction inside the telegram channel is the following: Figure 3: JesterGroup Course Advertising 8
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL The first activity we found related to themREPORT was the selling of Jester Stealer which has been gaining rapid popularity. So, they grasped our attention and we decided to research and found several samples. In a second moment, we found other collateral malicious projects to enlarge their selling capabilities; these are the names: • Jester Stealer • Merlynn Clipper • Trinity Miner • Lilith Botnet Pivoting the information on the social networks and their public usernames, we collected at least three active members of the cyber-crime gang. Their nicknames are: • LightM4n (aka L1ghtM4n) • Voipdiprincipedibeler2 (aka PRINCIPEDIBELER, PRINCIPEDIBELER2) • drkust0m Among the three identified members, LightM4n seems to be the main developer and has several projects on GitHub: Figure 4: L1ghtM4n’s GitHub Account One of the most complex jobs of our activity is to track the people behind the threat actor. In this paper, we were able to identify the principal operators and developers of the cyber gang with their roles inside it. The following scheme shows the members of Eternity Group and their products, where the part of “dr.kust0m” and “Voipdiprincipedibeler2” is to advertise them on many telegram channels. 9
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 5: Scheme of the members The last point to keep track of Eternity Group is to reconstruct the chronological timeline of its evolution. So, we tracked the first evidence of advertising inside many darknet forums, arriving at their latest products. The group gained popularity very quickly thanks to affiliated groups' advertising and can be proved by scammers who have tried to impersonate them. Now they have released a complete arsenal of malware for every type of need of a cyber-criminal. This is a clear sign we may expect many campaigns related to their products. 10
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 6: Timeline All the tools the cyber gang developed are targets of the following analysis and dissection. This operation helps keep track of the TTPs and the evolution of the cyber arsenal. The Arsenal The group is constantly developing new malicious code and new features belonging to a cyber arsenal, making them a complete malicious profit-making company. The following section, will provide some technical insights for each sample belonging to the gang. 11
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY Jester Stealer ANNUAL REPORT The first malicious product developed by the threat actor is Jester Stealer. We have evidence that the first versions of the malware date back to July/August 2021. The following screen is the adverting panel of it: Figure 7: Jester Stealer capabilities advertising Hash 6f7f22d44491f9768519ae4aafc93a543d37186a9ccd1e197e29014a48c13095 Threat Jester Stealer Brief Description .NET Stealer SSDEEP 3072:uKmAqKt6JmD1KieL8U0Hpf/ReAS7s3LYLsz6dh2OGYD9KKRFxsbeKD5uYCC1Mrvs:uK R68Zxe4buu3Wsz6dhLGmFSbvMKqO The malicious capabilities of the malware are the presence of a kill-switch, anti-analysis techniques and the creation of a mutex. The kill-switch works in this way: the bytes of salt_upload_data are taken and hashed with SHA256 to create a registry key in “HKEY_CURRENT_USER\SOFTWARE\{hash}\state” if the value of state equals 1, the sample will exit. 12
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 8: Killswitch After these checks, the sample executes the core function devoted to the stealing: a thread will be conducted for each category of the stolen data. Finally, the information is stored inside a .txt and then zipped. The peculiarity of this sample is that the archive and the files are created in memory. Figure 9: Routine devoted to the stealing 13
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL Following is the complete REPORT catalog of the stolen data: Category Stolen Information System Windows Password Vault, Windows Credentials Manager, List of available networks, Screenshot Gaming Steam, Twitch, OBS FTP FileZilla, WinSCP, CoreFTP, Snowflake VPN NordVPN, EarthVPN, WindScribeVPN Browsers Chrome, Firefox, 360Browser, 7Star, Amigo, Brave, Citrio, CentBrowser, Chedot, Chromodo, CocCoc, Comodo, Coowon, Elements, Epic, Iridium, K-Melon, Kometa, Atom, ChromePlus, Maxthon3, Edge, Nichrom, Opera, Orbitum, QIP Surf, Sputnik, Torch, Uran, Vivaldi, Yandex, Liebao, Uran, Chromium Messengers Telegram, Discord, Pidgin, Outlook, FoxMail, WhatsApp, Signal, RamBox Wallets (Address, Balance, MoneroCore, BitcoinCore, DashcoinCore, DogecoinCore, LitecoinCore, Electrum, Exodus, Transactions) Atomic, Jaxx, Coinomi, ZCash, Guarda, Wasabi, MetaMask, TronLink, BinanceChain, Coin98, iWallet, Wombat, MEW CX, NeoLine, Terra Station, Keplr, Sollet, ICONex, KHC, TezBox, Byone, OneKey, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client. ZilPay, Leaf Wallet, Cyano Wallet, Cyano Wallet Pro, Nabox Wallet, Polymesh Wallet, Nifty Wallet, Liquality Wallet, Math Wallet, Coinbase Wallet, Clover Wallet, Yoroi, EQUAL Wallet, BitApp Wallet, Auro Wallet, Saturn Wallet, Ronin Wallet Password Managers BitWarden, KeePass, NordPass, 1Password, RoboForm, Dashlane, Keeper, LastPass, BrowserPass, MYKI, Splikity, CommonKey, Zoho Vault, Norton, Avira, Trezor, Authenticator, SSO Authenticator, EOS Authenticator Files Grabber Table 1: Jester Stealer targeted information Then, Jester Stealer proceeds to exfiltrate the stolen information. Once compressed the harvested information, The malware proceeds to send it to the C2. The exfiltration model provides a primary C2 inside the TOR network and uses the AnonFiles Hosting Services as a secondary solution. 14
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 10: Exfiltration over TOR In detail, if the C2 is hidden behind the TOR Network, the sample will enable a proxy. This proxy is enabled by executing the tor command-line tool downloaded from the actor’s GitHub repository. Once the proxy has been enabled, the sample will send a POST request with the encrypted (AES) zip and a summary of the stolen information in the header. Otherwise, if the C2 is offline, the sample will upload a .zip using the API of anon files, in this case, the data contained in the .zip are not encrypted, and the name of the file will be the Username concatenated with the MachineName. Figure 11: Exfiltration over Anon Files System information is also included in the comment of the archive of all stolen ones: 15
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 12: Archive comment 16
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Web Injection Module During the analysis, we noticed some exciting Javascript strings: the stealer uses the remote debugging utility of chrome to execute arbitrary Javascript code. The web inject can be very useful when the victims have no saved credentials and the targeted data aren’t available to harvest from a desktop application: Figure 13: Web Injection capability The following is a list of the targeted websites along with the stolen information: 17
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY Target ANNUAL REPORT Content Title document.title Current URL window.location.href User Agent Navigator.userAgent Paypal Browser, Profile, Username, Password, Balance, Cards Steam Browser, Profile, Login, Email, Guard State, Balance, Inventory Items Facebook Browser, Profile, Access Token GitHub Id, Browser, Profile, Account Name, Subscribers, Repositories Youtube Id, Browser, Profile, Channel Name, Subscribers Wallets Balance, Addresses Credit Cards Country, Type, Holder Instagram Account Name, Browser, Profile, Subscribers Table 2: Targeted websites Config Decryption The encryption of the config is composed of BASE64 + AES (CBC - 128), so as the first step, the strings are decoded from BASE64, and then AES decrypted. 18
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 14: Jester Stealer Config The config is made of: Field to decrypt Decrypted configuration mutex key_upload_data Key used to encrypt the files with AES during the exfiltration salt_upload_data String used as salt to hash the key with SHA256 (can be used as campaign identifier) C2 anonfiles_token Used as backup if the C2 is offline, the token is part of the anonfiles API check_key_verify The hardcoded SHA256 of key_upload_data, is used to verify if the hash is the same Table 3: Jester Stealer config 19
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Merlynn Clipper Merlynn Clipper doesn’t differentiate itself from the usual .NET Clipper, and its strong point is the constant updates and the many supported cryptocurrencies. Figure 15: Merlynn Clipper Advertising Hash f948fc3a5970cc6bc0b8b767ec89864daa2542eb09b32a9c952070c8d9ec3e99 Threat Merlynn Clipper Brief description .NET Clipper SSDEEP 192:oC1NpyPG0AdGyQZpmzWRdIoOrESLnvD/4L8oCXrsujzJoHY568Fs2TvZ/cV4IMJw:oeasdGhioOr5 nvD/rPjz+45Nvnye Merlynn replaces a cryptocurrency address in the clipboard with the one specified in the config, editable inside a builder: 20
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 16: Merlynn Clipper Builder In the primary method, the sample calls the function Install to achieve the persistence by copying itself into the Startup directory. Once done, uses AddClipboardFormatListener and WndProc to monitor a change in the victim's clipboard. Figure 17: Merlynn Clipper Main 21
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUALwhich Inside the method, “ModifyClipboard,” REPORT is the core of the sample, the clipper will replace the address and send some logs to a Telegram Bot. Figure 18: Merlynn Clipper Core Routine These are the currently supported cryptocurrencies: Figure 19: Merlynn Clipper supported cryptocurrencies 22
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Config Decryption The addresses and Telegram Tokens in the config are AES Encrypted. Therefore, the Key can be easily found in the same class. Figure 20: MerlynnClipper Config decryption In the analyzed sample, we found the following wallets: Field to decrypt Decrypted configuration xmr D47hVqg4ztcXE8dBe8JP6Q4KGu6FosHMUZNxkqi2EVXuCcfwkhKjrfxvL8E2X5vy4Mb8 KihxnMEsoDXP8fV647yeARRhsv5C btc 1MnCfFdcyrMFcnXJPr4WN5nzTz1ssNcGp7 eth 0x3e1769F695e9cc77349Ee7fD5D832Cdad272E477 doge DEc5jVH4mtEhnXNJADiV7Up1K6RuWWoL1Y ltc LdYqPNQyHT41aFjiUTbq1AzrQSJVWfwD4y xrp rNCs8WjvZj2TQ2REEWF6EHyQQqs1GQHkZS dash XouJhwrxkS5W3y9o8zyFuc1f1uUr25MUEq TelegramChatId 1504112609 23
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY TelegramBotToken ANNUAL REPORT 2097658010:AAFGimMzIL1tvl8SnDSJIEJ14d2Ffc7KtZw Mutex 08ab2ccb-64df-4ec9-97a0-9c3f8eb282cc Table 4: Merlynn Clipper config Trinity Miner Trinity Miner doesn’t limit itself to just the execution of XMRig, but tries to be as much as possible stealthier compared to other miners. Figure 21: Trinity Miner Advertising Hash 4ec2be2e2e2bc0dfdc9b8c741fbfab0432f045716d27c3b27ac16fad4cb47dab Threat Trinity Miner Brief description .NET Xmrig dropper SSDEEP 49152:qzuzgsK8XCwKyblc81KsH7FtfcaSPL/e6988MKMTq3xJTaUbEyit:zzgEywKybm 81KQ7F9caSPi69893Oj81t The primary method is responsible for creating the mutex with a hardcoded string, the setup of the persistence in the Startup folder and the execution of XMRig, which is contained in the sample’s resources and compressed. 24
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 22: Trinity Miner Main method Then, the sample checks if XMRig is already executed via WMI. Then, inside the Start function, the arguments are formatted, and XMRig will be injected using the process hollowing technique. Figure 23: Evidence of Process Hollowing API calls When the program is running the Explorer, the behavior of the process injection looks like the following: 25
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 24: Trinity Miner Process Injection into explorer.exe Lilith Botnet Lilith Botnet it’s the “all in one” solution provided by the Eternity Group. It has the classic botnet functions plus Jester Stealer, Merlynn Clipper and Trinity Miner capabilities. Figure 25: Lilith Botnet Advertising Hash 150d348ba6d84cd7095f78719e83c7a8ab1445f0d68ae5886f4e731b5aa5882e Threat Lilith Botnet Brief description .NET Botnet with Stealer and Miner modules SSDEEP 3072:4GzAFH91sQf3ws/PYNnJDZwuK4I+4zgG+mgzWHz+T/qF+bLr5jEt1IZFMCC0gvRs:4Gz/ nPPS+mgzMqSF+bLJEt1ku/ 26
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY Once the sample starts, ANNUAL REPORT three checking methods are executed, the first is a license validation, the second is an anti- VM where the following WMI “SELECT * FROM Win32_PortConnector” is queried the last one checks for the presence of some modules related to virtualization programs or antivirus products: • SbieDll • SxIn • Sf2 • snxhk • Cmdvrt32 The sample will then create a Mutex and copy itself to the startup folder. When the preliminary routines are executed, Lilith Botnet will register the victim, sending the first information to the C2. Then, depending on the location of the C2 inside the TOR Network, the sample will enable the proxy using the same function seen in Jester Stealer. Figure 26: LilithBot sending victim’s information The response will be decrypted (AES). If it contains the string “registered successfully,” the sample can also update a field of the config “commandCheckInterval” used in the Sleep inside the function used to determine if the C2 is offline or if the Victim’s Network is offline. 27
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 27: Checking network status The value of “parameters” in this case is the command “getCommands”, if the command is successfully retrieved, the sample will start a thread of the core function. 28
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 28: LilithBot preparing to receive commands This is the list of all the available commands: Command Description Lilith:ServerOffline The C2 is offline Lilith:NetworkOffline The victim’s Network is offliine Lilith:EncKeyFailed AES Decryption failed DDOS:HttpGET GET Requests to a specific target, using the following format: target?= Advertising:YouTube_ViewVideo The sample uses the same WebInjection methods of Jester Stealer, simply a new tab from the passed video url is created Lilith:UpdateConfiguration N/A 29
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY DDOS:TCPFlood ANNUALTCPREPORT Flood with a random buffer of length between 600-2300 DDOS:UDPFlood UDPFlood with a random buffer of length between 60-400 Advertising:YouTube_Subscribe New tab of the given channel url, injection of the following Javascript “document.querySelector(\"#subscribe-button > ytd-subscribe-button- renderer > tp-yt-paper-button > yt-formatted-string\").click();” Lilith:UpdateClient Update of the client Dropper:DownloadExecute Downloads and execute a given payload, based on the arguments passed you can choose to bypass the UAC and execute as admin Lilith:DeleteClient Deletes all the created artifacts except extra payloads downloaded with “Dropper:DownloadExecute” Advertising:YouTube_Dislike New tab of the given video url, injection of the following Javascript: "document.querySelector(\"#top-level-buttons-computed > ytd-toggle- button-renderer:nth-child(1) > a\").click();", "document.querySelector(\"#top-level-buttons-computed > ytd-toggle- button-renderer:nth-child(2) > a\").click();" NetDiscover:ScanNetwork Uploads to the C2 as “Network.txt”: IP, MAC, Vendor, Hostname, Ports Miner:StopMiner Stops the miner process DDOS:StopAttacks Stops a running DDOS method Dropper:ExecuteScript Executes a given script as BAT or Powershell Advertising:YouTube_ViewStream New tab of a given stream url Stealer:RecoverCredentials Jester Stealer methods Advertising:YouTube_Like New tab of the given video url, injection of the following Javascript: "document.querySelector(\"#top-level-buttons-computed > ytd-toggle- button-renderer:nth-child(2) > a\").click();", "document.querySelector(\"#top-level-buttons-computed > ytd-toggle- button-renderer:nth-child(1) > a\").click();" DDOS:HttpPOST POST Request Flood with a random buffer of length between 90-400 30
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY Miner:StartMiner ANNUALTrinity REPORT Miner methods Lilith:ExitClient Stops threads, browser, miner and terminate itself Table 5: Lilith Botnet commands Config Decryption Like the others, the config is encrypted with AES, as you can see from the following figure: Figure 29: Lilith Botnet Config Field to decrypt Decrypted configuration clientId GUID hostname hxxp://31.44.5.14:4545/gate/{0}/{1} encKey c4d8c7f433c1e79afe4eff3a4b05c7c9 owner admin license 0FD5E4066478E3DD29AB263903CBA0F3 Table 6: Lilith Botnet Config 31
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT February 2022: the rebrand On February 1st, a message from Jester Group announces a complete rebrand of the group due to the many reports of scammers, claiming it will not be a simple rebrand but will include a new name, new projects and more. Figure 30: Jester Group announcing the rebrand The new group officially operates since 02/02/2022 under the name of “Eternity” and started publishing new Malware; a worm, ransomware and RAT, respectively called “EternityWorm,” “EternityRansomware,” and “EternityRAT.” On April 10th, they claimed that more than 300 users were registered in the Telegram Bot (used as a builder for all the projects). 32
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 31: Eternity Group showing the registered users The homepage of the group revealed that they have six available Malware to purchase: Figure 32: Eternity Group official website 33
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY Some of them were the ANNUAL REPORT previous commented, and now we focus on the new malware codes developed after the rebranding operation. Eternity Worm Eternity Worm is the first Malware developed after the rebrand Figure 33: Eternity Worm advertising Once executed, the worm performs a mutex check, creating it from a hardcoded string, which in this case is “hnvkwqubmk”, then proceeds to copy itself to “%appdata%\Local\ServiceHub” and set up a scheduled task, if administrator with priority to highest, if not to limited, then deletes itself in the old location and execute again from the new site. 34
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 34: Setting up the persistence The sample now retrieves two payloads: • The first one comes from “hxxp://c.vinhall169.]com/w.exe”, which is the worm itself. • The second is Eternity Clipper hxxp://c.tronlink.]golf/sa/c.exe. • Figure 35: Downloading payloads 35
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL While downloading the payloads REPORT and setting up the persistence, the sample creates a list of threads. The worm adds the core routines of its features inside that list. One of these malicious features is to create discord spam, which starts by checking if the string “Look at this. Very good stuff.[URL]” isn’t equal to “0”, then it proceeds to get the username and iterates the channels of the victim. The username is retrieved by making a GET request to “hxxps://discord.]com/api/users/@me”, returning a JSON and then retrieving the value from the field “username#” + value of the field “discriminator”, the channels are retrieved with a request to “hxxps://discord.]com/api/users/@me/channels” and iterates it to get the IDs: Figure 36: Setting up discord spam The worm now iterates the list of IDs, and for each one calls the method “SendMessage”, the message is sent by making a POST request to “hxxps://discord.]com/api/v9/channels/{0}/messages”, which is formatted with the ID and the content of the message which is: “Look at this. Very good stuff.[URL]” with [URL] being replaced by the payload. Figure 37: Sending spam messages 36
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL The following routine is for REPORT the spam on Telegram. After retrieving the private keys, the sample downloads a payload from “hxxp://iqox575zftwvbkphhnbdxkg6pfrgcmeos3rebjwdt6ra2r73u5iq2jqd.]onion/shared/worm.exe” which unfortunately we were unable to get, this payload is executed then with the key as an argument. An exciting feature of this worm is the capability to infect the Python interpreter. It starts by iterating the directory “%appdata%\Local\Programs\Python” for each Python version it gets the file “Lib\os.py” and passes it as an argument to the method “Execute,” which consists of the parameters “targetFile” the os.py file, “url” the payload and “at_start” a boolean value which indicates if the payload is going to be written at the start of the file or not. Figure 38: Infecting “os.py” The url is passed to the method “PreparePayload” which writes the following Python code: Figure 42: Payload inside os.py 37
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL The Base64 string contains REPORT the code which you can see immediately under it: there are a couple of “try” and “except” statements aimed at downloading the payload from the URL “hxxp://c.vinhall169.com/w.]exe” in the temporary path to execute it. The latest methods are for the infection of USB Drives, Local Files and the Cloud. For the local files, the sample iterates these directories: • Desktop • MyPictures • Documents For the Cloud: • DropBox • Google Drive • OneDrive The files with an extension .py or .pyw will be infected using the same technique for the interpreter. Regarding the files with the following extensions: “.zip, .exe, .jar, .pdf, .docx, .xlsx, .pptx, .mp3, .mp4, .png”, the files are replaced with a sample contained in the resources of “DarkBuilder.dll”, a recurrent library written by L1ghtM4n which helps while writing malicious code, present in several malicious artifacts. This resource is called “JoinerStub” the worm takes the original file and writes two resources; “” and “k,” the first contains the file, and the second contains 32 random bytes used to XOR the file, the same process applies to the payload. Figure 39: Binding method The “JoinerStub” works in the following way: it iterates the resources, decrypt them, writes the decrypted sample in the “%temp%” directory and if the sample extension is contained in this list 38
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL “.exe, .com, .scr, .pif, .bat, REPORT .cmd, .vbs, .js, .py, .jar” the sample sleeps for 1 second and then executes it. Eternity Worm also spoofs the extension using the technique RTLO (Right-to-Left Override). Eternity Ransomware Eternity Ransomware is the latest Malware developed. It uses AES+RSA, and it is simple but has some interesting features. Figure 40: Eternity Ransomware Once executed, it checks if the arguments passed, and if none proceeds to create a mutex from a hardcoded string, which is the following “rbziwoehbr” instead of “--debug” it’s passed, the mutex will not be created. Figure 41: Mutex Creation Once the mutex has been created, the sample tries to avoid possible detection of its activities by disabling/killing specific tools, such as the Task Manager, by modifying the following registry key: “Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableTaskMgr”, and by starting a thread to kill processes containing these strings in the name: “taskmgr, processHacker, procmon, procmon64, mmc”. 39
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 42: Eternity Ransomware defensive capabilities The Ransomware proceeds inhibiting system recovery by iterating restore points and removing them using SRRemoveRestorePoint, it also deletes shadows copies executing “vssadmin delete shadows /all /quiet” Figure 43: Eternity Ransomware avoiding system recovery Then, it adds the following registry key “HKCU\Software\Classes\.ecrp\shell\open\command” to execute when the victim tries to open an encrypted file. 40
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Figure 44: Adding the extension in the registry Once the preliminary routines are executed, the sample calls the method “GetFiles” to iterates the following directories: • C:\Users\Admin\Pictures • C:\Users\Admin\Documents • C:\Users\Admin\Desktop • C:\Users\Admin\AppData\Roaming\DropBox • C:\Users\Admin\AppData\Roaming\OneDrive For each file, it calls the method “EncryptFile,” which performs these malicious operations: 1. Check whether the file exists, and its extension isn’t equal to the one used by the Ransomware, 2. Generate a random AES key by using the RNGCryptoServiceProvider 3. Protect just generated AES key with the RSA Public Key set earlier in the .cctor oXmacSoncuYi5Occov7K5P3m3IeOWpTMlE4hBUP/C8GswV4b+V7rh8dz3cJ6g+CTqrMy0letdgDMGRtTtimlL+wx5Lkfp3P sdlO7ka/Jby+nKIOrSv69WitdqsbMhy1YMQT0HxbUSQIMl/p+oX9lXYb5B0vvz7amErnR8ts7J0ap9mPQHfjJ9YJBeskFty4kOiEFlt0NoqdMjdXLDTPiYhY/q miOLmRx12C87TWhlmN0EyBJ7YBVFpMUfRbSK4H8DhHt9ZNh3W94uK//m6DaGtEoavw4QQ6qDOOlh4JGK2wuiwhFTNz+ihZQwQN601P1IIZAgF2lP eixNVX6KarD0Q==AQAB Code Snippet: Hardcoded Public key 4. Save the protected AES key in the registry key “HKCU\Software\Chrome\EncryptedKeys” Figure 45: Encrypted AES Keys in the registry 41
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT The aggressed files to encrypt are encrypted with the AES algorithm, then compressed with Deflate and converted to XML. The XML file contains two fields; “” including the ID of the key saved in the registry, and “,” containing the body of the encrypted file. The following picture describes the encryption routine: Figure 46: Eternity Ransomware encryption process 42
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Conclusion The actor is growing fast: in a few months, it was able to develop a large quantity of malicious code with a high technical level. This paper analyzed six components representing all the modern malware threats, starting from info-stealers, arriving at Ransomware and Worms, and passing for miners and clippers. During the samples’ hunting, we also found many packed samples, indicating that the gang has contacts with other criminal gangs to enhance the complexity of analysis and limit the AV detection. We won’t be surprised if we encounter that actor adopting the double extorsion malicious business model one day. Threat Hunting and Threat Intelligence capabilities play a fundamental role in cyber defense activities. Indeed, having a detailed overview of a new threat actor helps the protection inside Yoroi’s Cyber Security Defense Center and all the possible victims of similar attempts of attack. 43
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Appendix Indicators of Compromise Jester Stealer: C2s: • hxxp://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.]onion/report/BlackFish Hashes: • 0672b11bc92a91d742919f79b38161acf7732997d8f27693488e14118d7ea420 • 0f5d3a6ccd5cfb4ff00c9efd12b1b6b0658620947897638932fbb4f1a69ac204 • 11246136ce79c7969d92227c15e9300849823151cfb10908ed4662f0306ece07 • 11ded0a7d6d202119faf22fa3f22c5012813f3c1ba0ded04f4dafb705623389e • 1306e24bda80da1dacddc7c7d808502407cc8b29960d807aed0327050ba32be6 • 174f347b357e36331acbde34379318c1f2cd3f3f7693da1a6a3c820e3b6f73c2 • 1828e8a313c5cb0c4871a0bebec169ef7d665dd4d6ff08de63434920facc29e6 • 22bad9fcb954fcb8cd9928eeb05d042618d1b154ca7ec7e0245514d131342366 • 2e8d37a9b1125fa6fa3be4b89bc4c17f51130205237c12e87f16e586a6624fba • 3168f18432106cfaf21f48598c1b26b1026de7a0bac69ae548c79dec67be7853 • 31c6ddb0cca22fb7bed694ba8956af3f942abb2bbc2d38e7cbdd265204ef218b • 358027cd37d73f2fac5765787a6a43c45682001b325cb1b235c4c2293cf20541 • 3b8adbf81f190ab87e27aca03cc50af0766a589777b6f595451885662c37b033 • 3d012f3b18bfd758729295f47509827ff61fdc13ced823411ca0216b796e94f0 • 43f3ff6b08f1c47241ca83ebfa1104d6297638b09d4884d83e8c7fceeff070d3 • 4417195f416e6bd019c0982978bf1f00c0c848e5ac2e020f278629bbe21266b6 • 46438ce67833837a1f48ce2e16850ebf81936bbb069a00ce9751302e831604b2 • 549df00f77e2782a316da85ce2de6339a6060605b9da25af61d588d3d9669c4d • 567024d5cca61e3b7bb987c3f36367b9c6981d8dd029c1fd7aa679d8f72929b5 • 5a8dd9184f6781d4731846a4631a7dd8e38c99d312caa209e83ccfc1e5250a3c • 610ea66627a1e7af2ba5b0a5b5aa12c6898347ace730bfb326a083ee5b40f3fb • 697089eaf22c630995580ca8c32f2daca0db9f0c44180f447bd12b9bf34c0737 • 6b5d08ce5d46ebfaf12bd966f34bb4096cce0f13fd8bf9048621e1c0582da120 • 6c87c1ce8fabf36fb876553e9b6525dedb9563179dd4e6267870b39adf47a0a1 • 6f3175eaa15bd9e6f0a27880f9d63e5d1ed6f4d2255b173832cb6a152b563cba • 6f7f22d44491f9768519ae4aafc93a543d37186a9ccd1e197e29014a48c13095 • 75ac96db15096428b6c9d42060f08a6ade84a7c36cf546e726fe09fbe5963f3f • 80d5b305a9bd22b44c3545f2d5609217c4f86ec3b4723e0a05d0219040ced9a5 • 85fc1c3402f46fb32f8b912233284d3b52e127a5e96c58d2ca80ffa741e2db53 • 873d3b237380874dce724286fd5b0a0e1ebdcc80e9985d3b6e26a397fe376f35 • 8946892a1354aebdd14040128348bd3905c35b40c713e0cf9bdc7426ae24fe69 • 96341ed4164c08afaeb688e715bdbf621afbe0f6129151219d41dde123170480 • 9e9e61bff2a2e6b22f4389f77e980ed0ba95153706225166419def6b1eeac403 • a679ee3c33f24010f2b794bb76e0f4b11bbca6c4f87240820e308ea1d5b442cf • ad730fa7559d8fcd02efab6afe2c8a4e9d766d318074842582457b79ba299532 44
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY • ANNUAL REPORT b03ecda181e843116c4c19520be8b57cd5c9916c1590ef9d585031b7ea0d6d78 • b1a4fb5177d642fb5647168070aa054f2eace2291c82361f0799ba0fbac38483 • b371d7d7799bdd78b61ec1ff7ec1dbd74182f7389e182536beb8a4d0659e7d36 • b437dc0d347e336dd3ca7c9af3ee982e3c7f9703bd2ba7d217400055c5234833 • b61663582da089a5ba37ad833149864a99ce60d8f2d9106d02aa26baa7b14106 • c3f01206a620eba330732ea77b7ded5cde172ccd29cbc183fb139a7c853fcc65 • c76e9aea199e40e589741f6b470fe8f3b0758c78aae39adf20d8b86aa2e8904f • ceb1a94e9366a84f75948fbe56576945abeb7b2ecb578b00aeaa22b7896bf6fb • d42bb466c7b301a33bb3cbe43b0194982b3b245eaeb1f3e69fea3996fd09c4e4 • e44a8f63f2f0874d77bddbce5ede7a8bf41733658002d2549f1610f7938aeb3d • e9614dda4527fe9ab01d5340cfc0971834b5a663e51ba5cbe5c1a89348677e33 • ec2f1ea5abb622415977edbc08a7f3f3fde4c5cf6441d462a9adef5910081443 • ee5e8737168f71747990cce9802470c6d9d484ebd51225fd972408f4909c92fc • f02ef98085a3fdd98fddef6645f2708642d91365e020464cf888d6c8a01d12ce • f493fe1ced3f6c2c1681670e3df792d0d38b2e2592dbfb43aafa71e8b21044bf • ff20545409561a3e276fabe901e405061f0c258db0da1dda6d82863a47b8fc10 • ffe4f973a58fac2a65083c1878f56369edbf375935c9221ca91adb21e3111627 • 02ae8936bcaa3c276741a0b22257ef6321621611ee0a40ca9b8ebecee44a6430 • 138fc1f7c4374e9c8c23ac46e883ddffeee447159a48ca9c2eedc9ba6bf90966 • 1e80d8a31d094f2f908f67c6a80d30b62c63f27c960658fdcbdd3012eeb77dca • 1f4d2b9cb054d0dd1a721df83c275689bc21615a83f61e0a4ae1a0313c7d4cc1 • 23de41c113cd6af59a7c6721fd37755b0b4066a8f58dcf3e43f8dc10c0a65ce2 • 2483d4773d591813323680ad995807d9092b4b8c423f359f2976a24dcd8c7ae7 • 2f51ca73e34d0dd5ca240bdb614186a59ebe80b28bbf183b7354465321b5e9d0 • 2f60f276804b85bc8ee3cc63be9c1d5b303c4c722a678c59e768642b31d35bb3 • 48e2a946a501787936ea194cc029e29bcd6049d4a954b616f91bccf7188b3b0e • 5c18b4259612602d17098bd40db9545c5d91acb22409fec4023f35bfa1d23936 • 5e248950e37b653abd4c353113b932d71143d3431a47a728c1d6d135d4825735 • 6540a1564cb42b0036bc4bc7a91116009963d39ff7f271c31821cd08eb0e27e9 • 654576c4e6f9489f5264755401ad59fadaa60e539bf6e6b9b8636824eaea3539 • 66450506a281a73603b0f892865512db95be1df8b54b53dfb11a0b7a3df8ea8c • 69f39e040a92a6f4da19b5bb852d49d321c7ee2ebaefd7c4b8ecac483fdfeb9c • 6dd7f4652faa45c4e124cdeb6582262b8572f5ed8bd7fbdb2967ee5dce01d8e0 • 776b177e66ccdf87836b3448371596d23815cf69124eaf6be1f37c8be6c998e3 • 81f1cb3a702f99312f8dd7a881e144a928d26f6cf5306113d58bc44b8faa48e2 • 83315459c10621aa4965545a36ec5fb0b803ec0dcd5a1fa3b3a2266db9165714 • 90c45c20b5a6c279916b4cab9a1abecc662e1fa547fe700aa415d9f685654ba6 • a3b39307457b22600a4d4da61576587847923b2033cbad24172f1e8fdfa0bde6 • a4a81d6a903411ebca75c1f2d85f6db8ef65cd6e4e5fdbaa9b8fafc093d42970 • bbe1d5273dc432c3aec2996d5295c96051baa3848a312c9de17b4068b9aeaa0b • bfecd381f1a7dac0e4231e7a529b8ed801bf8a21cc07870615d8d39fdc545e5a • c4749988fba26fc4f3b969c4c02527470221935ccc49698634670662c8f56169 • cc73c4d55960eaf88c5ff7be748c3d64f9074406929ff4c29deb936492b32747 • dd3fd7cf7acda8a299b8b86c9600efe97255217c37ad423cf07f3186462b9199 • Eeb1a32b9f53fabf7281219e38f5901b98905b1a68d633841946f190aa6d1c7d Proxy: • 6.173.214.]33:19797 45
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Merlynn Clipper: • 543cdfe5900ea81ff76fcc07999ea13ce7636939d010d6070a4db3215e946012 • dc8765321c2a0b3ce6fb26c284e8a98f831cf2a21cc49b24f017de396ef925d9 • F948fc3a5970cc6bc0b8b767ec89864daa2542eb09b32a9c952070c8d9ec3e99 Trinity Miner: • 4ec2be2e2e2bc0dfdc9b8c741fbfab0432f045716d27c3b27ac16fad4cb47dab • 548c77e96af227a149b1526878eb071ca4d937f974681855dfac7169612706d0 Lilith Botnet: C2s: • hxxp://31.44.5.14:4545/gate/{0}/{1} Hashes: • 006bb86b29f11cd6a517db136478b940f8a7966acff4251188c5b82207beadae • 06e8f574a284848160eda6f5b8384d3023d98fdf727db44cfa07fd22139ab5f5 • 150d348ba6d84cd7095f78719e83c7a8ab1445f0d68ae5886f4e731b5aa5882e • 2e431d97623926bdb5a3e7bab1210a9d2b1f976beab7f5a75cc21505c78e7f5b • 6152ebdf85ea6fccd2039e3f9a12c8a5e631db05f8d4909ebbaf529e1778f6fd • 7471e203f640455c86843a8bbff52aaffb805ae927c5fbd0718bc96edb2e7dce • 770b1a5a8bf93029993f72095e85837655ed692a8e0f7a5ec48b9ede27b18b7b • 7a8a056be6c025bf1399b5e5f7a3d69e6b3d8eed8b12745578ef62d2b6929b74 • 7af1ff3415c1cde09a6653950ae0483e9be1b86a5dde85823e30cea2bf07b9ba • 829c7a8dda3b4c7585348038466c71633acb821d05c1c978f633cdb0175fdec7 • 8dbfbe48755ecf0c0cba6161cd321025a1dd86cb389f8963a218783cbb99a85f • 8dde1786f60b0c1d52c5e7c28493bfde4159ede361225d23147d04fa8bb955d7 • 8e595952e5b2e50dd992fdfbc868c8e5afdc288b097e6b890c0a43604c9a5813 • 94d02ee9613654832894f09d6325d53b4457dd436bb9dd7c32cee0df274c16d • dfd448e14200d2d0143c9c9afaa69deb44725f127d5f38c7bdddce1bf71d3524 • e82d16bc77bdfb25fb2e316bb65e9e565ec07aad7bd8441ea09c4abfda04806d • ed5a02370568674fdf12bae74a035daf1c6fabba84d1a3a0f7baf257ad3a6259 • Fe498281daf27f0c6a5db9859192e2e8371f03f36a92d83e3f691677426dde18 Eternity Ransomware: • 3ba098b717d6f9c52cc0ca4408dbde8e29886eb9103d1724b0d6930b431035c5 Eternity Worm: Hashes: • 757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5 • 77865f1b05c1f30363d9ba72a676894b3f4bd30641e0f3e50de2b68a8f10f6fe Payloads: • hxxp://c.vinhall169.]com/w.exe • hxxp://iqox575zftwvbkphhnbdxkg6pfrgcmeos3rebjwdt6ra2r73u5iq2jqd.]onion/shared/worm.exe • hxxp://c.tronlink.]golf/sa/c.exe • hxxp://c.tronlink.]golf/sa/w.exe Proxy: • 46.173.214.]33:19797 46
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY Yara Rules ANNUAL REPORT rule jester_stealer_lilith_botnet { meta: description = "Rule for Jester Stealer" author = "Yoroi Malware ZLab" last_updated = "2022-05-02" tlp = "WHITE" category = "informational" strings: $stealer_botnet = {000511????12????0E0812????12????} $BSJB = {42534A42} $GUID = {2347554944} condition: all of them and uint16(0) == 0x5A4D } rule merlynn_clipper { meta: description = "Rule for Merlynn Clipper" author = "Yoroi Malware ZLab" last_updated = "2022-05-02" tlp = "WHITE" category = "informational" strings: $clipper_bytecode = {0203280900000628220000062A} $clipper2_bytecode = {0D001203284500000A066F4600000A6F4700000A1304} $BSJB = {42534A42} $GUID = {2347554944} condition: 3 of them and uint16(0) == 0x5A4D } rule trinity_miner { meta: description = "Rule for Trinity Miner" author = "Yoroi Malware ZLab" last_updated = "2022-05-02" tlp = "WHITE" category = "informational" strings: $miner_bytecode = {14110A7E1000000A7E1000000A171A7E1000000A110B11071108280700000626} $BSJB = {42534A42} $GUID = {2347554944} condition: all of them and uint16(0) == 0x5A4D } rule eternity_worm{ 47
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY meta: ANNUAL REPORT description = "Rule for Trinity Miner" author = "Yoroi Malware ZLab" last_updated = "2022-05-02" tlp = "WHITE" category = "informational" strings: $1 = {03286E0200060A} $2 = {0628620200060B} $3 = {FE0C0000FE0C0100FE0C0000FE0C010093284100000A3A13000000FE0C0000FE0C010093284200000A380E000 000FE0C0000FE0C010093284300000A9D} $4 = {FE1C4D00000158} $BSJB = {42534A42} $GUID = {2347554944} condition: 3of them and uint16(0) == 0x5A4D } rule eternity_ransomware { meta: description = "Rule for Trinity Miner" author = "Yoroi Malware ZLab" last_updated = "2022-05-02" tlp = "WHITE" category = "informational" strings: $bytecode = {022810010006066F5B01000628550100060B} $BSJB = {42534A42} $GUID = {2347554944} condition: all of them and uint16(0) == 0x5A4D } 48
A DEEP DIVE INTO ETERNITY GROUP CYBERSECURITY ANNUAL REPORT Yoroi S.r.l. www.yoroi.company - info@yoroi.company Piazza Sallustio, 9 00187 – Roma (RM) +39 (051) 0301005 Yoroi S.r.l. ® 2014-2021 – Tutti i diritti riservati Yoroi S.r.l. società soggetta ad attività di direzione e coordinamento esercitata dalla Tinexta S.p.A. Yoroi ® è un marchio registrato Registrazione N°: 016792947 49
You can also read