A DEEP DIVE INTO ETERNITY GROUP - A new emerging Cyber Threat May 2022
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
A DEEP DIVE INTO ETERNITY GROUP
A new emerging Cyber Threat
May 2022
A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
2
A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
DEFENCE BELONGS TO HUMANS….
3
A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Date Activity Author
18/05/2022 Report delivery Luigi Martire, Carmelo Ragusa
4
A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Table of Content
Table of Content ........................................................................................................................................................................ 5
Introduction ................................................................................................................................................................................ 6
Eternity/Jester Group................................................................................................................................................................. 7
The Arsenal ............................................................................................................................................................................... 11
Jester Stealer ......................................................................................................................................................................... 12
Web Injection Module .................................................................................................................................................... 17
Config Decryption ........................................................................................................................................................... 18
Merlynn Clipper .................................................................................................................................................................... 20
Config Decryption ........................................................................................................................................................... 23
Trinity Miner ......................................................................................................................................................................... 24
Lilith Botnet........................................................................................................................................................................... 26
Config Decryption ........................................................................................................................................................... 31
February 2022: the rebrand ................................................................................................................................................... 32
Eternity Worm ...................................................................................................................................................................... 34
Eternity Ransomware .......................................................................................................................................................... 39
Conclusion ................................................................................................................................................................................ 43
Appendix ................................................................................................................................................................................... 44
Indicators of Compromise .................................................................................................................................................. 44
Jester Stealer: .................................................................................................................................................................. 44
Merlynn Clipper: ............................................................................................................................................................. 46
Trinity Miner: ................................................................................................................................................................... 46
Lilith Botnet: .................................................................................................................................................................... 46
Eternity Ransomware: .................................................................................................................................................... 46
Eternity Worm: ................................................................................................................................................................ 46
Yara Rules ............................................................................................................................................................................. 47
5
A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Introduction
Every month new threats are developed and sold in the underground forums, and each of them can grow and
become a severe risk to the security. Indeed, monitoring the darknet is fundamental for threat research and
proactive defense.
During our investigations, we at Yoroi Malware ZLab have found a new emerging cyber-criminal group with great
potential to become an essential factor inside the cyber security threat landscape. This threat actor calls itself
“Eternity Group,” previously “Jester Group”; we internally tracked it as “TH-320”.
The group has been active at least from July/August 2021, when they developed and released the first malware,
Jester Stealer, with an extensive sponsorship campaign inside the main underground forums. Then, the group's
capabilities increased, also releasing other malicious software.
For all these reasons, we decided to dig into these malicious operations and create a comprehensive whitepaper
where we can share all the information about the threat actor.
6
A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Eternity/Jester Group
During our investigation of this threat, it emerged that TH-320 had covered a large field of malware writing during
the activity period. Their primary objective is to make money from selling and using malware. Therefore, we tried
to summarize all the information classified the TTPs in the following flashcard and the history of the entire group in
a comprehensive timeline:
Figure 1: Eternity Group (aka, TH-320, Jester Group)
The first activities date back to July/August 2021, when the group emerged on 16 different forums and started to
publish information about their malicious products.
7
A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 2: Advertising panel of the Eternity Group inside the darknet forums
The group writes both in English and Russian, so we believe they could have connections with the Russian
environment. Furthermore, their activity isn’t limited to just the development of Malware but also selling private
courses and manuals. That model is quite helpful for two reasons: the first one is the fast-making money, and the
second one is that they can leverage the course materials to find other components for their group.
An example of the interaction inside the telegram channel is the following:
Figure 3: JesterGroup Course Advertising
8
A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL
The first activity we found related to themREPORT
was the selling of Jester Stealer which has been gaining rapid popularity.
So, they grasped our attention and we decided to research and found several samples.
In a second moment, we found other collateral malicious projects to enlarge their selling capabilities; these are the
names:
• Jester Stealer
• Merlynn Clipper
• Trinity Miner
• Lilith Botnet
Pivoting the information on the social networks and their public usernames, we collected at least three active
members of the cyber-crime gang. Their nicknames are:
• LightM4n (aka L1ghtM4n)
• Voipdiprincipedibeler2 (aka PRINCIPEDIBELER, PRINCIPEDIBELER2)
• drkust0m
Among the three identified members, LightM4n seems to be the main developer and has several projects on
GitHub:
Figure 4: L1ghtM4n’s GitHub Account
One of the most complex jobs of our activity is to track the people behind the threat actor. In this paper, we were
able to identify the principal operators and developers of the cyber gang with their roles inside it. The following
scheme shows the members of Eternity Group and their products, where the part of “dr.kust0m” and
“Voipdiprincipedibeler2” is to advertise them on many telegram channels.
9
A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 5: Scheme of the members
The last point to keep track of Eternity Group is to reconstruct the chronological timeline of its evolution. So, we
tracked the first evidence of advertising inside many darknet forums, arriving at their latest products. The group
gained popularity very quickly thanks to affiliated groups' advertising and can be proved by scammers who have
tried to impersonate them. Now they have released a complete arsenal of malware for every type of need of a
cyber-criminal. This is a clear sign we may expect many campaigns related to their products.
10A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 6: Timeline
All the tools the cyber gang developed are targets of the following analysis and dissection. This operation helps
keep track of the TTPs and the evolution of the cyber arsenal.
The Arsenal
The group is constantly developing new malicious code and new features belonging to a cyber arsenal, making
them a complete malicious profit-making company. The following section, will provide some technical insights for
each sample belonging to the gang.
11A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
Jester Stealer ANNUAL REPORT
The first malicious product developed by the threat actor is Jester Stealer. We have evidence that the first versions
of the malware date back to July/August 2021. The following screen is the adverting panel of it:
Figure 7: Jester Stealer capabilities advertising
Hash 6f7f22d44491f9768519ae4aafc93a543d37186a9ccd1e197e29014a48c13095
Threat Jester Stealer
Brief Description .NET Stealer
SSDEEP 3072:uKmAqKt6JmD1KieL8U0Hpf/ReAS7s3LYLsz6dh2OGYD9KKRFxsbeKD5uYCC1Mrvs:uK
R68Zxe4buu3Wsz6dhLGmFSbvMKqO
The malicious capabilities of the malware are the presence of a kill-switch, anti-analysis techniques and the
creation of a mutex. The kill-switch works in this way: the bytes of salt_upload_data are taken and hashed with
SHA256 to create a registry key in “HKEY_CURRENT_USER\SOFTWARE\{hash}\state” if the value of state equals 1,
the sample will exit.
12A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 8: Killswitch
After these checks, the sample executes the core function devoted to the stealing: a thread will be conducted for
each category of the stolen data. Finally, the information is stored inside a .txt and then zipped. The peculiarity of
this sample is that the archive and the files are created in memory.
Figure 9: Routine devoted to the stealing
13A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL
Following is the complete REPORT
catalog of the stolen data:
Category Stolen Information
System Windows Password Vault, Windows Credentials Manager, List of available
networks, Screenshot
Gaming Steam, Twitch, OBS
FTP FileZilla, WinSCP, CoreFTP, Snowflake
VPN NordVPN, EarthVPN, WindScribeVPN
Browsers Chrome, Firefox, 360Browser, 7Star, Amigo, Brave, Citrio, CentBrowser, Chedot,
Chromodo, CocCoc, Comodo, Coowon, Elements, Epic, Iridium, K-Melon, Kometa, Atom,
ChromePlus, Maxthon3, Edge, Nichrom, Opera, Orbitum, QIP Surf, Sputnik, Torch, Uran,
Vivaldi, Yandex, Liebao, Uran, Chromium
Messengers Telegram, Discord, Pidgin, Outlook, FoxMail, WhatsApp, Signal, RamBox
Wallets (Address, Balance, MoneroCore, BitcoinCore, DashcoinCore, DogecoinCore, LitecoinCore, Electrum, Exodus,
Transactions) Atomic, Jaxx, Coinomi, ZCash, Guarda, Wasabi, MetaMask, TronLink, BinanceChain,
Coin98, iWallet, Wombat, MEW CX, NeoLine, Terra Station, Keplr, Sollet, ICONex, KHC,
TezBox, Byone, OneKey, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite
Client. ZilPay, Leaf Wallet, Cyano Wallet, Cyano Wallet Pro, Nabox Wallet, Polymesh
Wallet, Nifty Wallet, Liquality Wallet, Math Wallet, Coinbase Wallet, Clover Wallet, Yoroi,
EQUAL Wallet, BitApp Wallet, Auro Wallet, Saturn Wallet, Ronin Wallet
Password Managers BitWarden, KeePass, NordPass, 1Password, RoboForm, Dashlane, Keeper, LastPass,
BrowserPass, MYKI, Splikity, CommonKey, Zoho Vault, Norton, Avira, Trezor,
Authenticator, SSO Authenticator, EOS Authenticator
Files Grabber
Table 1: Jester Stealer targeted information
Then, Jester Stealer proceeds to exfiltrate the stolen information. Once compressed the harvested information,
The malware proceeds to send it to the C2. The exfiltration model provides a primary C2 inside the TOR network
and uses the AnonFiles Hosting Services as a secondary solution.
14A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 10: Exfiltration over TOR
In detail, if the C2 is hidden behind the TOR Network, the sample will enable a proxy. This proxy is enabled by
executing the tor command-line tool downloaded from the actor’s GitHub repository. Once the proxy has been
enabled, the sample will send a POST request with the encrypted (AES) zip and a summary of the stolen
information in the header. Otherwise, if the C2 is offline, the sample will upload a .zip using the API of anon files, in
this case, the data contained in the .zip are not encrypted, and the name of the file will be the Username
concatenated with the MachineName.
Figure 11: Exfiltration over Anon Files
System information is also included in the comment of the archive of all stolen ones:
15A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 12: Archive comment
16A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Web Injection Module
During the analysis, we noticed some exciting Javascript strings: the stealer uses the remote debugging utility of
chrome to execute arbitrary Javascript code. The web inject can be very useful when the victims have no saved
credentials and the targeted data aren’t available to harvest from a desktop application:
Figure 13: Web Injection capability
The following is a list of the targeted websites along with the stolen information:
17A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
Target ANNUAL REPORT Content
Title document.title
Current URL window.location.href
User Agent Navigator.userAgent
Paypal Browser, Profile, Username, Password, Balance, Cards
Steam Browser, Profile, Login, Email, Guard State, Balance,
Inventory Items
Facebook Browser, Profile, Access Token
GitHub Id, Browser, Profile, Account Name, Subscribers,
Repositories
Youtube Id, Browser, Profile, Channel Name, Subscribers
Wallets Balance, Addresses
Credit Cards Country, Type, Holder
Instagram Account Name, Browser, Profile, Subscribers
Table 2: Targeted websites
Config Decryption
The encryption of the config is composed of BASE64 + AES (CBC - 128), so as the first step, the strings are decoded
from BASE64, and then AES decrypted.
18A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 14: Jester Stealer Config
The config is made of:
Field to decrypt Decrypted configuration
mutex
key_upload_data Key used to encrypt the files with AES during the
exfiltration
salt_upload_data String used as salt to hash the key with SHA256 (can
be used as campaign identifier)
C2
anonfiles_token Used as backup if the C2 is offline, the token is part of
the anonfiles API
check_key_verify The hardcoded SHA256 of key_upload_data, is used to
verify if the hash is the same
Table 3: Jester Stealer config
19A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Merlynn Clipper
Merlynn Clipper doesn’t differentiate itself from the usual .NET Clipper, and its strong point is the constant updates
and the many supported cryptocurrencies.
Figure 15: Merlynn Clipper Advertising
Hash f948fc3a5970cc6bc0b8b767ec89864daa2542eb09b32a9c952070c8d9ec3e99
Threat Merlynn Clipper
Brief description .NET Clipper
SSDEEP 192:oC1NpyPG0AdGyQZpmzWRdIoOrESLnvD/4L8oCXrsujzJoHY568Fs2TvZ/cV4IMJw:oeasdGhioOr5
nvD/rPjz+45Nvnye
Merlynn replaces a cryptocurrency address in the clipboard with the one specified in the config, editable inside a
builder:
20A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 16: Merlynn Clipper Builder
In the primary method, the sample calls the function Install to achieve the persistence by copying itself into the
Startup directory. Once done, uses AddClipboardFormatListener and WndProc to monitor a change in the victim's
clipboard.
Figure 17: Merlynn Clipper Main
21A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUALwhich
Inside the method, “ModifyClipboard,” REPORT
is the core of the sample, the clipper will replace the address and
send some logs to a Telegram Bot.
Figure 18: Merlynn Clipper Core Routine
These are the currently supported cryptocurrencies:
Figure 19: Merlynn Clipper supported cryptocurrencies
22A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Config Decryption
The addresses and Telegram Tokens in the config are AES Encrypted. Therefore, the Key can be easily found in the
same class.
Figure 20: MerlynnClipper Config decryption
In the analyzed sample, we found the following wallets:
Field to decrypt Decrypted configuration
xmr D47hVqg4ztcXE8dBe8JP6Q4KGu6FosHMUZNxkqi2EVXuCcfwkhKjrfxvL8E2X5vy4Mb8
KihxnMEsoDXP8fV647yeARRhsv5C
btc 1MnCfFdcyrMFcnXJPr4WN5nzTz1ssNcGp7
eth 0x3e1769F695e9cc77349Ee7fD5D832Cdad272E477
doge DEc5jVH4mtEhnXNJADiV7Up1K6RuWWoL1Y
ltc LdYqPNQyHT41aFjiUTbq1AzrQSJVWfwD4y
xrp rNCs8WjvZj2TQ2REEWF6EHyQQqs1GQHkZS
dash XouJhwrxkS5W3y9o8zyFuc1f1uUr25MUEq
TelegramChatId 1504112609
23A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
TelegramBotToken ANNUAL REPORT
2097658010:AAFGimMzIL1tvl8SnDSJIEJ14d2Ffc7KtZw
Mutex 08ab2ccb-64df-4ec9-97a0-9c3f8eb282cc
Table 4: Merlynn Clipper config
Trinity Miner
Trinity Miner doesn’t limit itself to just the execution of XMRig, but tries to be as much as possible stealthier
compared to other miners.
Figure 21: Trinity Miner Advertising
Hash 4ec2be2e2e2bc0dfdc9b8c741fbfab0432f045716d27c3b27ac16fad4cb47dab
Threat Trinity Miner
Brief description .NET Xmrig dropper
SSDEEP 49152:qzuzgsK8XCwKyblc81KsH7FtfcaSPL/e6988MKMTq3xJTaUbEyit:zzgEywKybm
81KQ7F9caSPi69893Oj81t
The primary method is responsible for creating the mutex with a hardcoded string, the setup of the persistence in
the Startup folder and the execution of XMRig, which is contained in the sample’s resources and compressed.
24A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 22: Trinity Miner Main method
Then, the sample checks if XMRig is already executed via WMI. Then, inside the Start function, the arguments are
formatted, and XMRig will be injected using the process hollowing technique.
Figure 23: Evidence of Process Hollowing API calls
When the program is running the Explorer, the behavior of the process injection looks like the following:
25A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 24: Trinity Miner Process Injection into explorer.exe
Lilith Botnet
Lilith Botnet it’s the “all in one” solution provided by the Eternity Group. It has the classic botnet functions plus
Jester Stealer, Merlynn Clipper and Trinity Miner capabilities.
Figure 25: Lilith Botnet Advertising
Hash 150d348ba6d84cd7095f78719e83c7a8ab1445f0d68ae5886f4e731b5aa5882e
Threat Lilith Botnet
Brief description .NET Botnet with Stealer and Miner modules
SSDEEP 3072:4GzAFH91sQf3ws/PYNnJDZwuK4I+4zgG+mgzWHz+T/qF+bLr5jEt1IZFMCC0gvRs:4Gz/
nPPS+mgzMqSF+bLJEt1ku/
26A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
Once the sample starts, ANNUAL REPORT
three checking methods are executed, the first is a license validation, the second is an anti-
VM where the following WMI “SELECT * FROM Win32_PortConnector” is queried the last one checks for the
presence of some modules related to virtualization programs or antivirus products:
• SbieDll
• SxIn
• Sf2
• snxhk
• Cmdvrt32
The sample will then create a Mutex and copy itself to the startup folder.
When the preliminary routines are executed, Lilith Botnet will register the victim, sending the first information to
the C2. Then, depending on the location of the C2 inside the TOR Network, the sample will enable the proxy using
the same function seen in Jester Stealer.
Figure 26: LilithBot sending victim’s information
The response will be decrypted (AES). If it contains the string “registered successfully,” the sample can also update
a field of the config “commandCheckInterval” used in the Sleep inside the function used to determine if the C2 is
offline or if the Victim’s Network is offline.
27A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 27: Checking network status
The value of “parameters” in this case is the command “getCommands”, if the command is successfully retrieved,
the sample will start a thread of the core function.
28A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 28: LilithBot preparing to receive commands
This is the list of all the available commands:
Command Description
Lilith:ServerOffline The C2 is offline
Lilith:NetworkOffline The victim’s Network is offliine
Lilith:EncKeyFailed AES Decryption failed
DDOS:HttpGET GET Requests to a specific target, using the following format:
target?=
Advertising:YouTube_ViewVideo The sample uses the same WebInjection methods of Jester Stealer,
simply a new tab from the passed video url is created
Lilith:UpdateConfiguration N/A
29A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
DDOS:TCPFlood ANNUALTCPREPORT
Flood with a random buffer of length between 600-2300
DDOS:UDPFlood UDPFlood with a random buffer of length between 60-400
Advertising:YouTube_Subscribe New tab of the given channel url, injection of the following Javascript
“document.querySelector(\"#subscribe-button > ytd-subscribe-button-
renderer > tp-yt-paper-button > yt-formatted-string\").click();”
Lilith:UpdateClient Update of the client
Dropper:DownloadExecute Downloads and execute a given payload, based on the arguments passed
you can choose to bypass the UAC and execute as admin
Lilith:DeleteClient Deletes all the created artifacts except extra payloads downloaded with
“Dropper:DownloadExecute”
Advertising:YouTube_Dislike New tab of the given video url, injection of the following Javascript:
"document.querySelector(\"#top-level-buttons-computed > ytd-toggle-
button-renderer:nth-child(1) > a\").click();",
"document.querySelector(\"#top-level-buttons-computed > ytd-toggle-
button-renderer:nth-child(2) > a\").click();"
NetDiscover:ScanNetwork Uploads to the C2 as “Network.txt”: IP, MAC, Vendor, Hostname, Ports
Miner:StopMiner Stops the miner process
DDOS:StopAttacks Stops a running DDOS method
Dropper:ExecuteScript Executes a given script as BAT or Powershell
Advertising:YouTube_ViewStream New tab of a given stream url
Stealer:RecoverCredentials Jester Stealer methods
Advertising:YouTube_Like New tab of the given video url, injection of the following Javascript:
"document.querySelector(\"#top-level-buttons-computed > ytd-toggle-
button-renderer:nth-child(2) > a\").click();",
"document.querySelector(\"#top-level-buttons-computed > ytd-toggle-
button-renderer:nth-child(1) > a\").click();"
DDOS:HttpPOST POST Request Flood with a random buffer of length between 90-400
30A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
Miner:StartMiner ANNUALTrinity
REPORT
Miner methods
Lilith:ExitClient Stops threads, browser, miner and terminate itself
Table 5: Lilith Botnet commands
Config Decryption
Like the others, the config is encrypted with AES, as you can see from the following figure:
Figure 29: Lilith Botnet Config
Field to decrypt Decrypted configuration
clientId GUID
hostname hxxp://31.44.5.14:4545/gate/{0}/{1}
encKey c4d8c7f433c1e79afe4eff3a4b05c7c9
owner admin
license 0FD5E4066478E3DD29AB263903CBA0F3
Table 6: Lilith Botnet Config
31A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
February 2022: the rebrand
On February 1st, a message from Jester Group announces a complete rebrand of the group due to the many
reports of scammers, claiming it will not be a simple rebrand but will include a new name, new projects and more.
Figure 30: Jester Group announcing the rebrand
The new group officially operates since 02/02/2022 under the name of “Eternity” and started publishing new
Malware; a worm, ransomware and RAT, respectively called “EternityWorm,” “EternityRansomware,” and
“EternityRAT.” On April 10th, they claimed that more than 300 users were registered in the Telegram Bot (used as a
builder for all the projects).
32A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 31: Eternity Group showing the registered users
The homepage of the group revealed that they have six available Malware to purchase:
Figure 32: Eternity Group official website
33A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
Some of them were the ANNUAL REPORT
previous commented, and now we focus on the new malware codes developed after the
rebranding operation.
Eternity Worm
Eternity Worm is the first Malware developed after the rebrand
Figure 33: Eternity Worm advertising
Once executed, the worm performs a mutex check, creating it from a hardcoded string, which in this case is
“hnvkwqubmk”, then proceeds to copy itself to “%appdata%\Local\ServiceHub” and set up a scheduled task, if
administrator with priority to highest, if not to limited, then deletes itself in the old location and execute again from
the new site.
34A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 34: Setting up the persistence
The sample now retrieves two payloads:
• The first one comes from “hxxp://c.vinhall169.]com/w.exe”, which is the worm itself.
• The second is Eternity Clipper hxxp://c.tronlink.]golf/sa/c.exe.
•
Figure 35: Downloading payloads
35A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL
While downloading the payloads REPORT
and setting up the persistence, the sample creates a list of threads. The worm
adds the core routines of its features inside that list. One of these malicious features is to create discord spam,
which starts by checking if the string “Look at this. Very good stuff.[URL]” isn’t equal to “0”, then it proceeds to get
the username and iterates the channels of the victim. The username is retrieved by making a GET request to
“hxxps://discord.]com/api/users/@me”, returning a JSON and then retrieving the value from the field “username#”
+ value of the field “discriminator”, the channels are retrieved with a request to
“hxxps://discord.]com/api/users/@me/channels” and iterates it to get the IDs:
Figure 36: Setting up discord spam
The worm now iterates the list of IDs, and for each one calls the method “SendMessage”, the message is sent by
making a POST request to “hxxps://discord.]com/api/v9/channels/{0}/messages”, which is formatted with the ID
and the content of the message which is: “Look at this. Very good stuff.[URL]” with [URL] being replaced by the
payload.
Figure 37: Sending spam messages
36A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL
The following routine is for REPORT
the spam on Telegram. After retrieving the private keys, the sample downloads a
payload from “hxxp://iqox575zftwvbkphhnbdxkg6pfrgcmeos3rebjwdt6ra2r73u5iq2jqd.]onion/shared/worm.exe”
which unfortunately we were unable to get, this payload is executed then with the key as an argument.
An exciting feature of this worm is the capability to infect the Python interpreter. It starts by iterating the directory
“%appdata%\Local\Programs\Python” for each Python version it gets the file “Lib\os.py” and passes it as an
argument to the method “Execute,” which consists of the parameters “targetFile” the os.py file, “url” the payload
and “at_start” a boolean value which indicates if the payload is going to be written at the start of the file or not.
Figure 38: Infecting “os.py”
The url is passed to the method “PreparePayload” which writes the following Python code:
Figure 42: Payload inside os.py
37A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL
The Base64 string contains REPORT
the code which you can see immediately under it: there are a couple of “try” and
“except” statements aimed at downloading the payload from the URL “hxxp://c.vinhall169.com/w.]exe” in the
temporary path to execute it.
The latest methods are for the infection of USB Drives, Local Files and the Cloud.
For the local files, the sample iterates these directories:
• Desktop
• MyPictures
• Documents
For the Cloud:
• DropBox
• Google Drive
• OneDrive
The files with an extension .py or .pyw will be infected using the same technique for the interpreter.
Regarding the files with the following extensions: “.zip, .exe, .jar, .pdf, .docx, .xlsx, .pptx, .mp3, .mp4, .png”, the files
are replaced with a sample contained in the resources of “DarkBuilder.dll”, a recurrent library written by L1ghtM4n
which helps while writing malicious code, present in several malicious artifacts. This resource is called “JoinerStub”
the worm takes the original file and writes two resources; “” and “k,” the first contains
the file, and the second contains 32 random bytes used to XOR the file, the same process applies to the payload.
Figure 39: Binding method
The “JoinerStub” works in the following way: it iterates the resources, decrypt them, writes the decrypted sample in
the “%temp%” directory and if the sample extension is contained in this list
38A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL
“.exe, .com, .scr, .pif, .bat, REPORT
.cmd, .vbs, .js, .py, .jar” the sample sleeps for 1 second and then executes it. Eternity
Worm also spoofs the extension using the technique RTLO (Right-to-Left Override).
Eternity Ransomware
Eternity Ransomware is the latest Malware developed. It uses AES+RSA, and it is simple but has some interesting
features.
Figure 40: Eternity Ransomware
Once executed, it checks if the arguments passed, and if none proceeds to create a mutex from a hardcoded
string, which is the following “rbziwoehbr” instead of “--debug” it’s passed, the mutex will not be created.
Figure 41: Mutex Creation
Once the mutex has been created, the sample tries to avoid possible detection of its activities by disabling/killing
specific tools, such as the Task Manager, by modifying the following registry key:
“Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableTaskMgr”, and by starting a thread to kill
processes containing these strings in the name: “taskmgr, processHacker, procmon, procmon64, mmc”.
39A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 42: Eternity Ransomware defensive capabilities
The Ransomware proceeds inhibiting system recovery by iterating restore points and removing them using
SRRemoveRestorePoint, it also deletes shadows copies executing “vssadmin delete shadows /all /quiet”
Figure 43: Eternity Ransomware avoiding system recovery
Then, it adds the following registry key “HKCU\Software\Classes\.ecrp\shell\open\command” to execute when the
victim tries to open an encrypted file.
40A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Figure 44: Adding the extension in the registry
Once the preliminary routines are executed, the sample calls the method “GetFiles” to iterates the following
directories:
• C:\Users\Admin\Pictures
• C:\Users\Admin\Documents
• C:\Users\Admin\Desktop
• C:\Users\Admin\AppData\Roaming\DropBox
• C:\Users\Admin\AppData\Roaming\OneDrive
For each file, it calls the method “EncryptFile,” which performs these malicious operations:
1. Check whether the file exists, and its extension isn’t equal to the one used by the Ransomware,
2. Generate a random AES key by using the RNGCryptoServiceProvider
3. Protect just generated AES key with the RSA Public Key set earlier in the .cctor
oXmacSoncuYi5Occov7K5P3m3IeOWpTMlE4hBUP/C8GswV4b+V7rh8dz3cJ6g+CTqrMy0letdgDMGRtTtimlL+wx5Lkfp3P
sdlO7ka/Jby+nKIOrSv69WitdqsbMhy1YMQT0HxbUSQIMl/p+oX9lXYb5B0vvz7amErnR8ts7J0ap9mPQHfjJ9YJBeskFty4kOiEFlt0NoqdMjdXLDTPiYhY/q
miOLmRx12C87TWhlmN0EyBJ7YBVFpMUfRbSK4H8DhHt9ZNh3W94uK//m6DaGtEoavw4QQ6qDOOlh4JGK2wuiwhFTNz+ihZQwQN601P1IIZAgF2lP
eixNVX6KarD0Q==AQAB
Code Snippet: Hardcoded Public key
4. Save the protected AES key in the registry key “HKCU\Software\Chrome\EncryptedKeys”
Figure 45: Encrypted AES Keys in the registry
41A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
The aggressed files to encrypt are encrypted with the AES algorithm, then compressed with Deflate and converted
to XML. The XML file contains two fields; “” including the ID of the key saved in the registry, and “,”
containing the body of the encrypted file.
The following picture describes the encryption routine:
Figure 46: Eternity Ransomware encryption process
42A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Conclusion
The actor is growing fast: in a few months, it was able to develop a large quantity of malicious code with a high
technical level. This paper analyzed six components representing all the modern malware threats, starting from
info-stealers, arriving at Ransomware and Worms, and passing for miners and clippers.
During the samples’ hunting, we also found many packed samples, indicating that the gang has contacts with other
criminal gangs to enhance the complexity of analysis and limit the AV detection.
We won’t be surprised if we encounter that actor adopting the double extorsion malicious business model one
day.
Threat Hunting and Threat Intelligence capabilities play a fundamental role in cyber defense activities. Indeed,
having a detailed overview of a new threat actor helps the protection inside Yoroi’s Cyber Security Defense Center
and all the possible victims of similar attempts of attack.
43A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Appendix
Indicators of Compromise
Jester Stealer:
C2s:
• hxxp://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.]onion/report/BlackFish
Hashes:
• 0672b11bc92a91d742919f79b38161acf7732997d8f27693488e14118d7ea420
• 0f5d3a6ccd5cfb4ff00c9efd12b1b6b0658620947897638932fbb4f1a69ac204
• 11246136ce79c7969d92227c15e9300849823151cfb10908ed4662f0306ece07
• 11ded0a7d6d202119faf22fa3f22c5012813f3c1ba0ded04f4dafb705623389e
• 1306e24bda80da1dacddc7c7d808502407cc8b29960d807aed0327050ba32be6
• 174f347b357e36331acbde34379318c1f2cd3f3f7693da1a6a3c820e3b6f73c2
• 1828e8a313c5cb0c4871a0bebec169ef7d665dd4d6ff08de63434920facc29e6
• 22bad9fcb954fcb8cd9928eeb05d042618d1b154ca7ec7e0245514d131342366
• 2e8d37a9b1125fa6fa3be4b89bc4c17f51130205237c12e87f16e586a6624fba
• 3168f18432106cfaf21f48598c1b26b1026de7a0bac69ae548c79dec67be7853
• 31c6ddb0cca22fb7bed694ba8956af3f942abb2bbc2d38e7cbdd265204ef218b
• 358027cd37d73f2fac5765787a6a43c45682001b325cb1b235c4c2293cf20541
• 3b8adbf81f190ab87e27aca03cc50af0766a589777b6f595451885662c37b033
• 3d012f3b18bfd758729295f47509827ff61fdc13ced823411ca0216b796e94f0
• 43f3ff6b08f1c47241ca83ebfa1104d6297638b09d4884d83e8c7fceeff070d3
• 4417195f416e6bd019c0982978bf1f00c0c848e5ac2e020f278629bbe21266b6
• 46438ce67833837a1f48ce2e16850ebf81936bbb069a00ce9751302e831604b2
• 549df00f77e2782a316da85ce2de6339a6060605b9da25af61d588d3d9669c4d
• 567024d5cca61e3b7bb987c3f36367b9c6981d8dd029c1fd7aa679d8f72929b5
• 5a8dd9184f6781d4731846a4631a7dd8e38c99d312caa209e83ccfc1e5250a3c
• 610ea66627a1e7af2ba5b0a5b5aa12c6898347ace730bfb326a083ee5b40f3fb
• 697089eaf22c630995580ca8c32f2daca0db9f0c44180f447bd12b9bf34c0737
• 6b5d08ce5d46ebfaf12bd966f34bb4096cce0f13fd8bf9048621e1c0582da120
• 6c87c1ce8fabf36fb876553e9b6525dedb9563179dd4e6267870b39adf47a0a1
• 6f3175eaa15bd9e6f0a27880f9d63e5d1ed6f4d2255b173832cb6a152b563cba
• 6f7f22d44491f9768519ae4aafc93a543d37186a9ccd1e197e29014a48c13095
• 75ac96db15096428b6c9d42060f08a6ade84a7c36cf546e726fe09fbe5963f3f
• 80d5b305a9bd22b44c3545f2d5609217c4f86ec3b4723e0a05d0219040ced9a5
• 85fc1c3402f46fb32f8b912233284d3b52e127a5e96c58d2ca80ffa741e2db53
• 873d3b237380874dce724286fd5b0a0e1ebdcc80e9985d3b6e26a397fe376f35
• 8946892a1354aebdd14040128348bd3905c35b40c713e0cf9bdc7426ae24fe69
• 96341ed4164c08afaeb688e715bdbf621afbe0f6129151219d41dde123170480
• 9e9e61bff2a2e6b22f4389f77e980ed0ba95153706225166419def6b1eeac403
• a679ee3c33f24010f2b794bb76e0f4b11bbca6c4f87240820e308ea1d5b442cf
• ad730fa7559d8fcd02efab6afe2c8a4e9d766d318074842582457b79ba299532
44A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
• ANNUAL REPORT
b03ecda181e843116c4c19520be8b57cd5c9916c1590ef9d585031b7ea0d6d78
• b1a4fb5177d642fb5647168070aa054f2eace2291c82361f0799ba0fbac38483
• b371d7d7799bdd78b61ec1ff7ec1dbd74182f7389e182536beb8a4d0659e7d36
• b437dc0d347e336dd3ca7c9af3ee982e3c7f9703bd2ba7d217400055c5234833
• b61663582da089a5ba37ad833149864a99ce60d8f2d9106d02aa26baa7b14106
• c3f01206a620eba330732ea77b7ded5cde172ccd29cbc183fb139a7c853fcc65
• c76e9aea199e40e589741f6b470fe8f3b0758c78aae39adf20d8b86aa2e8904f
• ceb1a94e9366a84f75948fbe56576945abeb7b2ecb578b00aeaa22b7896bf6fb
• d42bb466c7b301a33bb3cbe43b0194982b3b245eaeb1f3e69fea3996fd09c4e4
• e44a8f63f2f0874d77bddbce5ede7a8bf41733658002d2549f1610f7938aeb3d
• e9614dda4527fe9ab01d5340cfc0971834b5a663e51ba5cbe5c1a89348677e33
• ec2f1ea5abb622415977edbc08a7f3f3fde4c5cf6441d462a9adef5910081443
• ee5e8737168f71747990cce9802470c6d9d484ebd51225fd972408f4909c92fc
• f02ef98085a3fdd98fddef6645f2708642d91365e020464cf888d6c8a01d12ce
• f493fe1ced3f6c2c1681670e3df792d0d38b2e2592dbfb43aafa71e8b21044bf
• ff20545409561a3e276fabe901e405061f0c258db0da1dda6d82863a47b8fc10
• ffe4f973a58fac2a65083c1878f56369edbf375935c9221ca91adb21e3111627
• 02ae8936bcaa3c276741a0b22257ef6321621611ee0a40ca9b8ebecee44a6430
• 138fc1f7c4374e9c8c23ac46e883ddffeee447159a48ca9c2eedc9ba6bf90966
• 1e80d8a31d094f2f908f67c6a80d30b62c63f27c960658fdcbdd3012eeb77dca
• 1f4d2b9cb054d0dd1a721df83c275689bc21615a83f61e0a4ae1a0313c7d4cc1
• 23de41c113cd6af59a7c6721fd37755b0b4066a8f58dcf3e43f8dc10c0a65ce2
• 2483d4773d591813323680ad995807d9092b4b8c423f359f2976a24dcd8c7ae7
• 2f51ca73e34d0dd5ca240bdb614186a59ebe80b28bbf183b7354465321b5e9d0
• 2f60f276804b85bc8ee3cc63be9c1d5b303c4c722a678c59e768642b31d35bb3
• 48e2a946a501787936ea194cc029e29bcd6049d4a954b616f91bccf7188b3b0e
• 5c18b4259612602d17098bd40db9545c5d91acb22409fec4023f35bfa1d23936
• 5e248950e37b653abd4c353113b932d71143d3431a47a728c1d6d135d4825735
• 6540a1564cb42b0036bc4bc7a91116009963d39ff7f271c31821cd08eb0e27e9
• 654576c4e6f9489f5264755401ad59fadaa60e539bf6e6b9b8636824eaea3539
• 66450506a281a73603b0f892865512db95be1df8b54b53dfb11a0b7a3df8ea8c
• 69f39e040a92a6f4da19b5bb852d49d321c7ee2ebaefd7c4b8ecac483fdfeb9c
• 6dd7f4652faa45c4e124cdeb6582262b8572f5ed8bd7fbdb2967ee5dce01d8e0
• 776b177e66ccdf87836b3448371596d23815cf69124eaf6be1f37c8be6c998e3
• 81f1cb3a702f99312f8dd7a881e144a928d26f6cf5306113d58bc44b8faa48e2
• 83315459c10621aa4965545a36ec5fb0b803ec0dcd5a1fa3b3a2266db9165714
• 90c45c20b5a6c279916b4cab9a1abecc662e1fa547fe700aa415d9f685654ba6
• a3b39307457b22600a4d4da61576587847923b2033cbad24172f1e8fdfa0bde6
• a4a81d6a903411ebca75c1f2d85f6db8ef65cd6e4e5fdbaa9b8fafc093d42970
• bbe1d5273dc432c3aec2996d5295c96051baa3848a312c9de17b4068b9aeaa0b
• bfecd381f1a7dac0e4231e7a529b8ed801bf8a21cc07870615d8d39fdc545e5a
• c4749988fba26fc4f3b969c4c02527470221935ccc49698634670662c8f56169
• cc73c4d55960eaf88c5ff7be748c3d64f9074406929ff4c29deb936492b32747
• dd3fd7cf7acda8a299b8b86c9600efe97255217c37ad423cf07f3186462b9199
• Eeb1a32b9f53fabf7281219e38f5901b98905b1a68d633841946f190aa6d1c7d
Proxy:
• 6.173.214.]33:19797
45A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Merlynn Clipper:
• 543cdfe5900ea81ff76fcc07999ea13ce7636939d010d6070a4db3215e946012
• dc8765321c2a0b3ce6fb26c284e8a98f831cf2a21cc49b24f017de396ef925d9
• F948fc3a5970cc6bc0b8b767ec89864daa2542eb09b32a9c952070c8d9ec3e99
Trinity Miner:
• 4ec2be2e2e2bc0dfdc9b8c741fbfab0432f045716d27c3b27ac16fad4cb47dab
• 548c77e96af227a149b1526878eb071ca4d937f974681855dfac7169612706d0
Lilith Botnet:
C2s:
• hxxp://31.44.5.14:4545/gate/{0}/{1}
Hashes:
• 006bb86b29f11cd6a517db136478b940f8a7966acff4251188c5b82207beadae
• 06e8f574a284848160eda6f5b8384d3023d98fdf727db44cfa07fd22139ab5f5
• 150d348ba6d84cd7095f78719e83c7a8ab1445f0d68ae5886f4e731b5aa5882e
• 2e431d97623926bdb5a3e7bab1210a9d2b1f976beab7f5a75cc21505c78e7f5b
• 6152ebdf85ea6fccd2039e3f9a12c8a5e631db05f8d4909ebbaf529e1778f6fd
• 7471e203f640455c86843a8bbff52aaffb805ae927c5fbd0718bc96edb2e7dce
• 770b1a5a8bf93029993f72095e85837655ed692a8e0f7a5ec48b9ede27b18b7b
• 7a8a056be6c025bf1399b5e5f7a3d69e6b3d8eed8b12745578ef62d2b6929b74
• 7af1ff3415c1cde09a6653950ae0483e9be1b86a5dde85823e30cea2bf07b9ba
• 829c7a8dda3b4c7585348038466c71633acb821d05c1c978f633cdb0175fdec7
• 8dbfbe48755ecf0c0cba6161cd321025a1dd86cb389f8963a218783cbb99a85f
• 8dde1786f60b0c1d52c5e7c28493bfde4159ede361225d23147d04fa8bb955d7
• 8e595952e5b2e50dd992fdfbc868c8e5afdc288b097e6b890c0a43604c9a5813
• 94d02ee9613654832894f09d6325d53b4457dd436bb9dd7c32cee0df274c16d
• dfd448e14200d2d0143c9c9afaa69deb44725f127d5f38c7bdddce1bf71d3524
• e82d16bc77bdfb25fb2e316bb65e9e565ec07aad7bd8441ea09c4abfda04806d
• ed5a02370568674fdf12bae74a035daf1c6fabba84d1a3a0f7baf257ad3a6259
• Fe498281daf27f0c6a5db9859192e2e8371f03f36a92d83e3f691677426dde18
Eternity Ransomware:
• 3ba098b717d6f9c52cc0ca4408dbde8e29886eb9103d1724b0d6930b431035c5
Eternity Worm:
Hashes:
• 757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5
• 77865f1b05c1f30363d9ba72a676894b3f4bd30641e0f3e50de2b68a8f10f6fe
Payloads:
• hxxp://c.vinhall169.]com/w.exe
• hxxp://iqox575zftwvbkphhnbdxkg6pfrgcmeos3rebjwdt6ra2r73u5iq2jqd.]onion/shared/worm.exe
• hxxp://c.tronlink.]golf/sa/c.exe
• hxxp://c.tronlink.]golf/sa/w.exe
Proxy:
• 46.173.214.]33:19797
46A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
Yara Rules ANNUAL REPORT
rule jester_stealer_lilith_botnet
{
meta:
description = "Rule for Jester Stealer"
author = "Yoroi Malware ZLab"
last_updated = "2022-05-02"
tlp = "WHITE"
category = "informational"
strings:
$stealer_botnet = {000511????12????0E0812????12????}
$BSJB = {42534A42}
$GUID = {2347554944}
condition:
all of them and uint16(0) == 0x5A4D
}
rule merlynn_clipper
{
meta:
description = "Rule for Merlynn Clipper"
author = "Yoroi Malware ZLab"
last_updated = "2022-05-02"
tlp = "WHITE"
category = "informational"
strings:
$clipper_bytecode = {0203280900000628220000062A}
$clipper2_bytecode = {0D001203284500000A066F4600000A6F4700000A1304}
$BSJB = {42534A42}
$GUID = {2347554944}
condition:
3 of them and uint16(0) == 0x5A4D
}
rule trinity_miner
{
meta:
description = "Rule for Trinity Miner"
author = "Yoroi Malware ZLab"
last_updated = "2022-05-02"
tlp = "WHITE"
category = "informational"
strings:
$miner_bytecode = {14110A7E1000000A7E1000000A171A7E1000000A110B11071108280700000626}
$BSJB = {42534A42}
$GUID = {2347554944}
condition:
all of them and uint16(0) == 0x5A4D
}
rule eternity_worm{
47A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY
meta: ANNUAL REPORT
description = "Rule for Trinity Miner"
author = "Yoroi Malware ZLab"
last_updated = "2022-05-02"
tlp = "WHITE"
category = "informational"
strings:
$1 = {03286E0200060A}
$2 = {0628620200060B}
$3 =
{FE0C0000FE0C0100FE0C0000FE0C010093284100000A3A13000000FE0C0000FE0C010093284200000A380E000
000FE0C0000FE0C010093284300000A9D}
$4 = {FE1C4D00000158}
$BSJB = {42534A42}
$GUID = {2347554944}
condition:
3of them and uint16(0) == 0x5A4D
}
rule eternity_ransomware
{
meta:
description = "Rule for Trinity Miner"
author = "Yoroi Malware ZLab"
last_updated = "2022-05-02"
tlp = "WHITE"
category = "informational"
strings:
$bytecode = {022810010006066F5B01000628550100060B}
$BSJB = {42534A42}
$GUID = {2347554944}
condition:
all of them and uint16(0) == 0x5A4D
}
48A DEEP DIVE INTO ETERNITY GROUP
CYBERSECURITY ANNUAL REPORT
Yoroi S.r.l.
www.yoroi.company - info@yoroi.company
Piazza Sallustio, 9
00187 – Roma (RM)
+39 (051) 0301005
Yoroi S.r.l. ® 2014-2021 – Tutti i diritti riservati
Yoroi S.r.l. società soggetta ad attività di direzione e coordinamento esercitata dalla Tinexta S.p.A.
Yoroi ® è un marchio registrato Registrazione N°: 016792947
49You can also read
