Over the past year, ESET researchers have been publishing an ongoing series of articles about Latin American banking trojan malware families. In this white paper, which was also presented at the Virus Bulletin conference, they look at these families from a higher-level perspective – rather than examining details of each family and highlighting their unique characteristics, they focus on what the malware families have in common.
In this white paper, ESET researchers describe their findings gleaned during an investigation of attacks that the InvisiMole group conducted against several high-profile organizations in the military sector and diplomatic missions in Eastern Europe in late 2019. The research uncovered an extensive, sophisticated toolset used for the delivery, lateral movement and execution of InvisiMole’s backdoors – the missing pieces of the puzzle in our previous research. It also revealed previously unknown cooperation between InvisiMole and Gamaredon, a highly active threat group that mainly targets Ukrainian institutions.
ESET researchers uncover targeted attacks against several high-profile aerospace and military companies in Europe and the Middle East. While there is no compelling evidence connecting the attacks to a known threat actor, they discovered several hints suggesting a possible link to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used.
ESET researchers have uncovered a new version of ComRAT, a backdoor that the Turla APT group has been using since at least 2007. This white paper analyzes this latest addition to the toolkit of a cyberespionage group that is known to have breached major public and private targets on multiple continents.
ESET researchers discovered a previously unknown vulnerability in Wi-Fi chips and named it KrØØk. This serious flaw, assigned CVE-2019-15126, affects devices with Wi-Fi chips by Broadcom and Cypress that haven’t been patched yet. These are the most common Wi-Fi chips used in contemporary Wi-Fi-capable devices such as smartphones, tablets, laptops, and IoT gadgets. In a successful attack, this vulnerability allows an adversary to decrypt some wireless network packets transmitted by a vulnerable device.
This white paper describes the inner workings of ESET Host-based Intrusion Prevention System (HIPS) while dealing specifically with Deep Behavioral Inspection, a recent addition to the HIPS protection layer. Deep Behavioral Inspection, released early in 2019 with version 12.1 of ESET consumer solutions, includes new detection heuristics and enables an even deeper monitoring of unknown, suspicious processes.
As devices are undeniably getting smarter all the time, the question arises: Are we keeping pace with technological progress in terms of being “smart” enough to derive maximum benefit from these devices without suffering repercussions? With 2019 ending, ESET experts offer their insights into how new innovations will impact our privacy, security and lives in the not so distant future.
At ESET, our engineers are old acquaintances of machine learning. We recognized its potential early on and employed it to help detect malware over 20 years ago. To this day, this symbiosis continues, with neural networks, deep learning, and classification algorithms being integral parts of the protective layers in ESET products and services. This white paper introduces the reader to decades of ESET experience with machine learning, emphasizing how the latest applications of this technology blend into ESET’s current home security solutions.
ESET researchers reveal their findings about Operation Ghost, newly-uncovered campaigns conducted by an APT group known as The Dukes since as far back as 2013. Our research shows that the Dukes has compromised government targets, including three European Ministries of Foreign Affairs and the Washington DC embassy of a European Union country, all without drawing attention to their activities.
This white paper provides a technical analysis of recent malware used by the Winnti Group. The group is well known for its supply-chain attacks and for compromising multiple high-profile targets – while staying under the radar for many months before they were found and disrupted. This analysis further refines our understanding of the group’s techniques and allows us to infer relationships between the different supply-chain incidents.
ESET researchers have discovered a previously unreported cyberespionage platform used in targeted attacks since at least 2013. Focusing on diplomatic missions and governmental institutions, Attor is designed specifically to attack privacy-concerned targets. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM devices.
Building on their earlier work on UEFI threats, ESET experts describe how they trained a machine-learning model to recognize a handful of unwanted UEFI components within a flood of millions of harmless samples. Besides showing strong capabilities in identifying suspicious UEFI executables, this system offers real-time monitoring of the UEFI landscape and was found to reduce the workload of ESET analysts by up to 90 percent.
This white paper presents ESET research into a new version of Machete, a cyberespionage toolset developed by a Spanish-speaking group that has been operating since at least 2010. ESET researchers have detected an ongoing, highly targeted campaign by the group, with a majority of its targets being government organizations in Latin America. In 2019, ESET has seen more than 50 computers compromised by Machete. More than 75% of the compromised computers were part of Venezuelan government organizations, including the military forces, education, police, and foreign affairs sectors.
In this white paper, we will take a deep technical look at this previously undocumented malware family and the other Ke3chang malware families detected from 2015 to 2019. We will provide evidence that the latter are evolved versions of known malware families attributed to Ke3chang group and explain how Okrum is linked to them – in terms of code, modus operandi and shared targets.
In this white paper, we present the analysis of LightNeuron, a backdoor specifically designed to target Microsoft Exchange mail servers. LightNeuron, which the cyberespionage group Turla is believed to have used since at least 2014, can spy on, modify or block any emails going through the compromised mail server, as well as execute commands sent by email.
While the idea of artificial intelligence (AI) and the real applications of machine learning (ML) have been influencing various fields for years now, their full transformative potential is yet to be realized. ML-based technologies increasingly help fight large-scale fraud, evaluate and optimize business processes, improve testing procedures and develop new solutions to existing problems. Like most innovations, however, even machine learning has drawbacks.
In this white paper, we will provide insight into the two most prevalent types of Android banking malware to date – sophisticated banking Trojans and fake banking apps – and compare their different approaches to achieving the same malicious goal.
At the same time, we will explore the impact of those approaches on potential victims.
Having identified the tactics of both categories, we will provide advice for users on how to stay safe
from Android banking malware.
The ESET Cybersecurity Barometer USA is a survey of public opinion about cybersecurity, cybercrime, and related privacy concerns in America. The survey was conducted because there is a lack of publicly funded research quantifying American public attitudes towards, and experience of, these critically important issues.
For several years now, ESET experts from around the world have been contributing to our annual Trends report, which offers a brief review of the milestones reached in the world of cybersecurity and our predictions about possible attack scenarios and measures to counteract them in 2019.
A little more than three years ago we started hunting for OpenSSH backdoors being used in-the-wild. While we are always trying to improve defenses against Linux malware by discovering and analyzing examples, the scope of this hunt was specifically to catch server-side OpenSSH backdoors. Unfortunately, telemetry on Linux malware is not as readily available as it is on other platforms. Nonetheless, malicious OpenSSH binaries are quite common and have features that help us detect them among legitimate OpenSSH binaries. While, as soon as we got them, we used the samples collected to improve our detection, we only began sorting and analyzing them in 2018. Surprisingly, we discovered many new backdoor families that had never been documented before.