White Papers

The changes in human behavior online, expressed in both professional and personal lives, continue to further blur the line between the physical world and our engineered virtual worlds. As security professionals, we are confronting the implications of these changes across the IT ecosystem, especially from cloud-powered apps to which we all increasingly entrust our enjoyment, professional success, as well as privacy and security. In the Cybersecurity Trends 2023 report, ESET experts offer their perspectives on what the continued blurring of the boundaries means for our human and social experience – and particularly for our privacy and security.

ESET’s 2022 SMB Digital Security Sentiment Report surveyed more than 1,200 cybersecurity decision-makers from small to medium-sized businesses (SMBs) in Europe and North America. It explores cybersecurity sentiments within the broader context of recent security developments and world events shaping SMBs’ perceptions of security. Among others things, it shows that SMBs’ overall confidence in cyber-resilience for the next 12 months remains low.

In the past few years, ESET has seen a rising number of incidents in which attackers connected to Windows servers over the internet using RDP and logged on as administrators. This paper looks at how attacks misusing Remote Desktop Protocol (RDP) progressed throughout 2020 and 2021 and how organizations can defend themselves against RDP-borne attacks.

ESET researchers recently described Wslink, a unique and previously undocumented malicious loader that runs as a server and that features a virtual-machine-based obfuscator. In this white paper we describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through the obfuscation techniques used in the analyzed samples. We demonstrate our approach on chunks of code of the protected sample. We were not motivated to fully deobfuscate the code, because we discovered a non-obfuscated sample.

The retail sector has for years been one of the most frequently targeted globally, and the surge in digital investment and online shoppers prompted by the pandemic has only made the sector a more attractive prospect for would-be hackers. The ability of global retailers to tackle the surge in threats may be crucial for their growth prospects in a post-pandemic world.

This white paper describes how malware frameworks targeting air-gapped networks operate and provides a side-by-side comparison of their most important TTPs. ESET researchers also propose a series of detection and mitigation techniques to protect air-gapped networks from the main techniques used by all the malicious frameworks publicly known to date.

ESET researchers have uncovered a previously unknown malware family that uses custom and well-designed modules to target Linux. Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect login credentials, and serve as a proxy server.

Ransomware is one of the most serious cyberthreats organizations are facing these days and cybercriminals are also constantly coming up with new approaches to ensure that they receive the demanded sum. This paper explains how this form of cyber-extortion has become such a major problem, what kinds of techniques ransomware gangs use, and suggests what your organization can do to reduce exposure to, and damage from, these attacks.

ESET research reveals a set of previously undocumented malware families that are implemented as malicious extensions for Internet Information Services (IIS) web server software. Taking aim mainly at government mailboxes and e-commerce transactions, this diverse class of threats operates by eavesdropping on and tampering with the server’s communications. Along with a complete breakdown of the newly-discovered malware families, this paper helps fellow security researchers and defenders detect, dissect and mitigate this class of server-side threats.

Since mid-2020, ESET Research has been analyzing multiple campaigns, later attributed to the Gelsemium group, and has tracked down the earliest version of their main malware, Gelsevirine, to 2014. During the investigation, ESET researchers found a new version of this backdoor, which is both complex and modular. Victims of the group’s campaigns are located in East Asia and the Middle East and include governments, religious organizations, electronics manufacturers and universities. In this paper, ESET researchers dissect several cyberespionage campaigns of the generally quiet Gelsemium group.

Stalkerware apps allow the snoopers to remotely access and control the victims’ devices, enabling them to snoop on the victims’ communications, listen in on their phone calls, observe their habits, access their private files, steal their passwords and possibly blackmail them. These spying tools have been increasingly popular in recent years; in 2019, ESET saw almost five times more Android stalkerware detections than in 2018, and in 2020 there were 48% more than in 2019. In this research, ESET reveals how vulnerabilities in common Android stalkerware apps put victims at additional risks and even expose the privacy and security of the stalkers themselves.

ESET reveals new research into activities of the LuckyMouse APT group and examines the complex nature of the constantly-evolving threat that APT groups represent for governments around the world. Just as importantly, the report highlights the need for technologists to continue to support governments in formulating and implementing cybersecurity strategies that are fit for the post-pandemic world.

How secure are smart sex toys? Have the necessary precautions been taken to protect users’ data and privacy? These are some of the concerns we address in this whitepaper, looking at vulnerabilities affecting some of these devices and highlighting the importance of demanding — as informed consumers — that best practices and standards should be applied to these products in order to protect users’ data.

ESET researchers describe the inner workings of previously unknown malware that has been targeting high profile and include high-performance computers, servers in academia, an endpoint security vendor, and a large internet service provider. This small, yet complex, malware is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows.

Over the past year, ESET researchers have been publishing an ongoing series of articles about Latin American banking trojan malware families. In this white paper, which was also presented at the Virus Bulletin conference, they look at these families from a higher-level perspective – rather than examining details of each family and highlighting their unique characteristics, they focus on what the malware families have in common.

In this white paper, ESET researchers describe their findings gleaned during an investigation of attacks that the InvisiMole group conducted against several high-profile organizations in the military sector and diplomatic missions in Eastern Europe in late 2019. The research uncovered an extensive, sophisticated toolset used for the delivery, lateral movement and execution of InvisiMole’s backdoors – the missing pieces of the puzzle in our previous research. It also revealed previously unknown cooperation between InvisiMole and Gamaredon, a highly active threat group that mainly targets Ukrainian institutions.

ESET researchers uncover targeted attacks against several high-profile aerospace and military companies in Europe and the Middle East. While there is no compelling evidence connecting the attacks to a known threat actor, they discovered several hints suggesting a possible link to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used.

ESET researchers have uncovered a new version of ComRAT, a backdoor that the Turla APT group has been using since at least 2007. This white paper analyzes this latest addition to the toolkit of a cyberespionage group that is known to have breached major public and private targets on multiple continents.

ESET researchers discovered a previously unknown vulnerability in Wi-Fi chips and named it KrØØk. This serious flaw, assigned CVE-2019-15126, affects devices with Wi-Fi chips by Broadcom and Cypress that haven’t been patched yet. These are the most common Wi-Fi chips used in contemporary Wi-Fi-capable devices such as smartphones, tablets, laptops, and IoT gadgets. In a successful attack, this vulnerability allows an adversary to decrypt some wireless network packets transmitted by a vulnerable device.