White Papers
Ebury is alive but unseen
Ebury is alive but unseen
ESET Research publishes a deep-dive investigation into one of the most advanced server-side malware campaigns, which is still growing and has seen hundreds of thousands of compromised servers in its at least 15-year-long operation. Among the activities of the infamous Ebury group and botnet over the years has been the spread of spam, web traffic redirections, and credential stealing. In recent years it has diversified to credit card and cryptocurrency theft. Additionally, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD, and OpenBSD servers; more than 100,000 were still compromised as of late 2023.
How I (could) have stolen your corporate secrets for $100
How I (could) have stolen your corporate secrets for $100
ESET researchers have found that core routers, the kind that are likely to be found in corporate networks, are often not wiped clean before they are decommissioned and offered for resale. This leaves critical and sensitive configuration data from the original owner or operator accessible to the purchaser and open to abuse.
Remote Desktop Protocol: Configuring remote access for a secure workforce
Remote Desktop Protocol: Configuring remote access for a secure workforce
In the past few years, ESET has seen a rising number of incidents in which attackers connected to Windows servers over the internet using RDP and logged on as administrators. This paper looks at how attacks misusing Remote Desktop Protocol (RDP) progressed throughout 2020 and 2021 and how organizations can defend themselves against RDP-borne attacks.
Under the hood of Wslink’s multilayered virtual machine
Under the hood of Wslink’s multilayered virtual machine
ESET researchers recently described Wslink, a unique and previously undocumented malicious loader that runs as a server and that features a virtual-machine-based obfuscator. In this white paper we describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through the obfuscation techniques used in the analyzed samples. We demonstrate our approach on chunks of code of the protected sample. We were not motivated to fully deobfuscate the code, because we discovered a non-obfuscated sample.
Jumping the air gap: 15 years of nation-state effort
Jumping the air gap: 15 years of nation-state effort
This white paper describes how malware frameworks targeting air-gapped networks operate and provides a side-by-side comparison of their most important TTPs. ESET researchers also propose a series of detection and mitigation techniques to protect air-gapped networks from the main techniques used by all the malicious frameworks publicly known to date.
FontOnLake: Previously unknown malware family targeting Linux
FontOnLake: Previously unknown malware family targeting Linux
ESET researchers have uncovered a previously unknown malware family that uses custom and well-designed modules to target Linux. Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect login credentials, and serve as a proxy server.
Ransomware: A look at the criminal art of malicious code, pressure, and manipulation
Ransomware: A look at the criminal art of malicious code, pressure, and manipulation
Ransomware is one of the most serious cyberthreats organizations are facing these days and cybercriminals are also constantly coming up with new approaches to ensure that they receive the demanded sum. This paper explains how this form of cyber-extortion has become such a major problem, what kinds of techniques ransomware gangs use, and suggests what your organization can do to reduce exposure to, and damage from, these attacks.
Anatomy of native IIS malware
Anatomy of native IIS malware
ESET research reveals a set of previously undocumented malware families that are implemented as malicious extensions for Internet Information Services (IIS) web server software. Taking aim mainly at government mailboxes and e-commerce transactions, this diverse class of threats operates by eavesdropping on and tampering with the server’s communications. Along with a complete breakdown of the newly-discovered malware families, this paper helps fellow security researchers and defenders detect, dissect and mitigate this class of server-side threats.
Gelsemium
Gelsemium
Since mid-2020, ESET Research has been analyzing multiple campaigns, later attributed to the Gelsemium group, and has tracked down the earliest version of their main malware, Gelsevirine, to 2014. During the investigation, ESET researchers found a new version of this backdoor, which is both complex and modular. Victims of the group's campaigns are located in East Asia and the Middle East and include governments, religious organizations, electronics manufacturers and universities. In this paper, ESET researchers dissect several cyberespionage campaigns of the generally quiet Gelsemium group.