New Eternity Malware-as-a-Service Offering Has a Product for Most Malicious Needs
The Eternity Malware Suite, a Malware as a Service offering, is a new player in the MaaS marketplace.
Our threat reports have previously covered Ransomware as a Service (RaaS). The Eternity Suite offers multiple types of malware for sale, including a ransomware offering.
The tools are seemingly unsophisticated. But through real-world examples, we have learned that threats do not have to be advanced to cause real damage.
Samples from the Eternity malware suite were tested against BluVector’s patented Machine Learning Engine (MLE) and were detected. Regression testing of these samples shows that BluVector would have detected the malware an average of 48 months prior to their release.
What Is Eternity Malware Kit?
Researchers from Cyble discovered a dark web site, offering several types of malware for sale, under the banner of Eternity. The Eternity “suite” consists of an Infostealer, a crypto miner, a DDoS (Distributed Denial of Service) bot, a worm/dropper, ransomware, and a clipper (so named as it is designed to monitor the clipboard of an infected system, intercepting cryptocurrency transactions and redirecting them to those held by attackers). The Eternity operators also have a Telegram channel which they use for marketing purposes, but also interestingly, where subscribers can utilize the Telegram bot to customize and build the Eternity malware directly.
Figure 1: Eternity dark web site product page
Beginning with potentially the greatest threat, the ransomware, the dark web site claims it is “currently FUD” (Fully UnDetectable). This claim seems to be debunked by the fact that the initial submission of this sample to VirusTotal in early April 2022 had a detection score of 18/73. This is not great coverage at just under 25%, but certainly noticeably better than being fully undetectable. Like all the Eternity malware currently available, the ransomware is a .NET executable, quite compact in size at only 65KB. The ransom note provides a ProtonMail email address and a Telegram ID as contact points, and states the ransom amount is $800, to be paid in Monero cryptocurrency. The code is not encrypted or obfuscated and contains a large list of 788 file extensions which will be encrypted. It does not alter the file extension of encrypted files as many other ransomware variants do. After encryption is complete, the ransomware deletes the shadow copies of each drive to make file restoration more difficult. It then displays a window, as shown below.
Figure 2: Eternity ransomware post encryption window
The stealer is advertised as helping to extract various web browser data, including passwords, credit card numbers, cookies, tokens, autofill strings, browsing history and bookmarks. The current version professes to be compatible with multiple browsers. As expected from stealer malware, it also aids data extraction from a number of email clients, instant messenger applications, password managers, VPN and FTP clients, gaming software and operating system credentials. Of course, there is also compatibility for 14 different cryptocurrency wallets and 33 cryptocurrency browser extensions. Unlike the ransomware, the stealer does utilize obfuscation of the code.
The clipper is, as advertised on the Eternity dark web site, small in size at only 62KB. And like the stealer, utilizes obfuscation of the code. It currently supports 15 cryptocurrencies that it monitors the clipboard for, and reports its activity to a Telegram bot. The miner is capable of mining Monero cryptocurrency, is hidden from the Windows Task Manager, and will automatically restart itself if the process is terminated.
The worm is by far the largest of the Eternity malware, at 1362KB, and again utilizes code obfuscation. Supported propagation methods are USB drives, local network shared drives, cloud drives (e.g. Dropbox), Discord and Telegram spam, i.e it sends messages to all channels and contacts. It is also capable of injecting the worm into any compiled Python files, and by appending itself to various local filetypes, including exe, jar, pdf, docx, xlsx, pptx.
Eternity is a relatively new player in the ever-growing MaaS marketplace. Their current malware offerings are not particularly sophisticated, and at least one appears to be based on publicly available source code. However, time and again, we have seen real-world incidents that prove malware does not necessarily need to be sophisticated to succeed.
How Does It Propagate?
The Eternity Worm malware possesses the ability to propagate via USB drives, local network file shares, cloud drives, and via Discord and Telegram spam.
When/How Did BluVector Detect It?
Four samples from the Eternity malware suite were tested against BluVector’s patented Machine Learning Engine (MLE) and all were detected. Regression testing of these samples shows that BluVector would have detected the malware an average of 48 months prior to their release.