Cyble-A-Closer-Look-at-Eternity-Malware

A closer look at Eternity Malware

Threat Actors leveraging Telegram to build malware

During our routine threat hunting exercise, Cyble Research Labs came across a TOR website listing a variety of malware for sale. This includes stealers, clippers, worms, miners, ransomware, and DDoS Bots which the Threat Actors (TAs) have named ‘Eternity Project.’

Figure 1 – Product Information

Upon further investigation, the TAs also have a Telegram channel with around 500 subscribers, where they have provided information about the malware’s operation and features through detailed videos. The Telegram channel also shares information about the malware’s updates, which shows that the TAs are actively working to enhance the features of the malware.

Figure 2 – Telegram Channel

Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary. The TAs provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies.  

Figure 3 – Telegram Builder

This blog showcases our research on Eternity Project’s malware capabilities and steps to secure yourself and your organization accordingly.

Eternity Stealer

The developer sells the Stealer module for $260 as an annual subscription. The Eternity Stealer steals passwords, cookies, credit cards, and crypto-wallets from the victim’s machine and sends them to the TA’s Telegram Bot.

The features of the stealer malware mentioned on the TAs website and Telegram channel are:

  • Browsers collection (Passwords, CreditCards, Cookies, AutoFill, Tokens, History, Bookmarks):
  • Chrome, Firefox, Edge, Opera, Chromium, Vivaldi, IE, and +20 more.
  • Email clients: Thunderbird, Outlook, FoxMail, PostBox, MailBird.
  • Messengers: Telegram, Discord, WhatsApp, Signal, Pidgin, RamBox.
  • Cold cryptocurrency wallets: Atomic, Binance, Coinomi, Electrum, Exodus, Guarda, Jaxx, Wasabi, Zcash, BitcoinCore, DashCore, DogeCore, LiteCore, MoneroCore.
  • Browser cryptocurrency extensions: MetaMask, BinanceChain, Coinbase Wallet, and 30+ more.
  • Password managers: KeePass, NordPass, LastPass, BitWarden, 1Password, RoboForm and 10+ more.
  • VPN clients: WindscribeVPN, NordVPN, EarthVPN, ProtonVPN, OpenVPN, AzireVPN.
  • FTP clients: FileZilla, CoreFTP, WinSCP, Snowflake, CyberDuck.
  • Gaming software: Steam session, Twitch, OBS broadcasting keys.
  • System credentials: Credman passwords, Vault passwords, Networks passwords).

Figure 4 demonstrates the steps to build Eternity Stealer malware through the Telegram Bot. Initially, the Telegram channel shows available products to users who purchased the malware when they enter a command /Product.  

Once the users select the stealer product, they are presented with further options for features such as AntiVM and AntiRepeat. Finally, the user has the option to select the available payload file extension such as .exe, .scr, .com, and pif. After selecting the file extension, the user can download the stealer payload from the Telegram channel.

Figure 4 – Purchasing and Building Eternity Stealer Payload

The stolen information is saved in .txt files, as shown below.

Figure 5 – Stolen Information Saved in .txt files

Eternity Miner

The developer sells the Miner module for $90 as an annual subscription. The Eternity Miner is a malicious program that uses the resources of an infected computer to mine cryptocurrency.

The features of the miner malware mentioned on the TA’s website and Telegram channel are:

  • Startup
  • Small size
  • Silent Monero mining
  • Restart when killed
  • Hidden from the task manager

Figure 6 demonstrates the steps to build Eternity Miner malware through the Telegram Bot. Here, the users can enter their Monero wallet address and Monero pool URLs while building the binary.

Figure 6 – Building Miner Payload

Eternity Clipper

The developer sells the clipper malware for $110. The Eternity Clipper is a malicious program that monitors the clipboard of an infected machine for cryptocurrency wallets and replaces them with the TA’s crypto-wallet addresses.

The features of the Clipper malware mentioned on the TA’s website and Telegram channel are:

  • Startup
  • Small size
  • Hidden from the task manager
  • Reporting to Telegram Bot
  • Prevents second reporting of replacement to prevent spam
  • Support of multiple address formats for BTC, LTC, ZEC, and BCH

Figure 7 demonstrates the steps to build the Eternity Clipper malware through a Telegram Bot. Here, users can enter their crypto wallet addresses while building the binary.

Figure 7 – Eternity Clipper Payload Building

Eternity Ransomware

The developer sells the Eternity Ransomware for $490. Eternity Ransomware is a malicious program that prevents users from accessing their machine, either by locking the system’s screen or encrypting the users’ files until a ransom is paid.

The features of the ransomware mentioned on the TA’s website and Telegram channel are:

  • Encrypts all documents, photos, and databases on disks, local shares, and USB drives.
  • Offline encryption (Doesn’t requires network connection)
  • Uses a very strong algorithm of encryption utilizing both AES and RSA.
  • The ability to set a time limit after which the files cannot be decrypted.
  • Execution on a specific date
  • Currently, FUD (0/26)
  • Small size ~130kb

Figure 8 depicts the steps to build Eternity Ransomware through the TA’s Telegram channel. Here, users can enter text to be shown once the victims open an encrypted file. The TAs can mention the ransom notes and payment details etc., for further communication with victims.

Additionally, users have the option to enter the time limit for the ransom payment. If victims fail to pay the ransom within the time limit, the encrypted files can’t be decrypted. This is set as a default feature while compiling ransomware binary.

Figure 8 – Ransomware Payload Building

Figure 9 shows the Eternity Ransomware Decryption window when users open an encrypted file.

Figure 9 – Eternity Ransomware Decryption Window

Eternity Worm

The developer sells the Eternity Worm for $390. It is a virus that spreads through infected machines via files and networks. The features of the worm dropper malware mentioned on the TA’s website and Telegram channel are:

  • USB Drives
  • Local network shares
  • Local Files (py, zip, exe, bat, jar, pdf, Docx, xlsx, pptx, mp3, mp4, png)
  • Cloud Drives (GoogleDrive, OneDrive, DropBox)
  • Python Interpreter (Injects worm loader into all compiled python projects)
  • Discord Spam (Sends your messages to all channels and friends)
  • Telegram Spam (Sends your messages to all channels and contacts)

Figure 10 depicts the steps to build Eternity worm malware through the TAs Telegram channel. Here, users can provide the URL where the worm payload will be located and also provide direct download URLs to download the worm payload. Eternity Worm can infect local files and spread through Discord and Telegram channels.

Figure 10 – Worm Malware Building

The below image shows the malware spreading via Discord.

Figure 11 – Discord Account

Eternity DDoS Bot

According to the TA’s website, the DDoS Bot malware is currently under development.

We suspect the developer behind the Eternity project is leveraging code from the existing Github repository and then modifying and selling it under a new name.

Our analysis also indicated that the Jester Stealer could also be rebranded from this particular Github project which indicates some links between the two Threat Actors.

Conclusion

Cyble Research Labs has observed a significant increase in cybercrime through Telegram channels and cybercrime forums where TAs sell their products without any regulation. We have encountered the Eternity products being sold on one such Telegram channel and TOR website.

Cyble will continue to monitor Eternity Project’s products and update our readers with the latest information.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety measures needed to prevent malware attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Indicators Of Compromise (IOCs)

IndicatorsIndicator typeDescription
8d52a66459df0ea387d5aab3fc7a2bc9MD5Eternity Stealer Payload
1707b034483eb9f279dfaa3a8862592bddb2ac4eSHA1Eternity Stealer Payload
eb812b35acaeb8abcb1f895c24ddba8bb32f175308541d8db856f95d02ddcfe2SHA256Eternity Stealer Payload
c4b46a2d0898e9ba438366f878cd74bdMD5Eternity Clipper Payload
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62SHA1Eternity Clipper Payload
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3SHA256Eternity Clipper Payload
76c5b877fb931ed728df30c002bf8823MD5Eternity Ransomware Payload
16a8a21ef1a30849bedc514e42286de7676db5afSHA1Eternity Ransomware Payload
55bf0aa9c3d746b8e47635c2eae2acaf77b4e65f3e6cbd8c51f6b657cdca4c91SHA256Eternity Ransomware Payload
b35aa57c5c963bde7abee2a4e459b146MD5Eternity Worm Payload
e0817176fa7e1875a5d301b47d9a9a6977c39da5SHA1Eternity Worm Payload
656990efd54d237e25fdb07921db3958c520b0a4af05c9109fe9fe685b9290f7SHA256Eternity Worm Payload
Scroll to Top