White Papers

Since mid-2020, ESET Research has been analyzing multiple campaigns, later attributed to the Gelsemium group, and has tracked down the earliest version of their main malware, Gelsevirine, to 2014. During the investigation, ESET researchers found a new version of this backdoor, which is both complex and modular. Victims of the group’s campaigns are located in East Asia and the Middle East and include governments, religious organizations, electronics manufacturers and universities. In this paper, ESET researchers dissect several cyberespionage campaigns of the generally quiet Gelsemium group.

Stalkerware apps allow the snoopers to remotely access and control the victims’ devices, enabling them to snoop on the victims’ communications, listen in on their phone calls, observe their habits, access their private files, steal their passwords and possibly blackmail them. These spying tools have been increasingly popular in recent years; in 2019, ESET saw almost five times more Android stalkerware detections than in 2018, and in 2020 there were 48% more than in 2019. In this research, ESET reveals how vulnerabilities in common Android stalkerware apps put victims at additional risks and even expose the privacy and security of the stalkers themselves.

ESET reveals new research into activities of the LuckyMouse APT group and examines the complex nature of the constantly-evolving threat that APT groups represent for governments around the world. Just as importantly, the report highlights the need for technologists to continue to support governments in formulating and implementing cybersecurity strategies that are fit for the post-pandemic world.

How secure are smart sex toys? Have the necessary precautions been taken to protect users’ data and privacy? These are some of the concerns we address in this whitepaper, looking at vulnerabilities affecting some of these devices and highlighting the importance of demanding — as informed consumers — that best practices and standards should be applied to these products in order to protect users’ data.

ESET researchers describe the inner workings of previously unknown malware that has been targeting high profile and include high-performance computers, servers in academia, an endpoint security vendor, and a large internet service provider. This small, yet complex, malware is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows.

Over the past year, ESET researchers have been publishing an ongoing series of articles about Latin American banking trojan malware families. In this white paper, which was also presented at the Virus Bulletin conference, they look at these families from a higher-level perspective – rather than examining details of each family and highlighting their unique characteristics, they focus on what the malware families have in common.

In this white paper, ESET researchers describe their findings gleaned during an investigation of attacks that the InvisiMole group conducted against several high-profile organizations in the military sector and diplomatic missions in Eastern Europe in late 2019. The research uncovered an extensive, sophisticated toolset used for the delivery, lateral movement and execution of InvisiMole’s backdoors – the missing pieces of the puzzle in our previous research. It also revealed previously unknown cooperation between InvisiMole and Gamaredon, a highly active threat group that mainly targets Ukrainian institutions.

ESET researchers uncover targeted attacks against several high-profile aerospace and military companies in Europe and the Middle East. While there is no compelling evidence connecting the attacks to a known threat actor, they discovered several hints suggesting a possible link to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used.

ESET researchers have uncovered a new version of ComRAT, a backdoor that the Turla APT group has been using since at least 2007. This white paper analyzes this latest addition to the toolkit of a cyberespionage group that is known to have breached major public and private targets on multiple continents.

ESET researchers discovered a previously unknown vulnerability in Wi-Fi chips and named it KrØØk. This serious flaw, assigned CVE-2019-15126, affects devices with Wi-Fi chips by Broadcom and Cypress that haven’t been patched yet. These are the most common Wi-Fi chips used in contemporary Wi-Fi-capable devices such as smartphones, tablets, laptops, and IoT gadgets. In a successful attack, this vulnerability allows an adversary to decrypt some wireless network packets transmitted by a vulnerable device.

This white paper describes the inner workings of ESET Host-based Intrusion Prevention System (HIPS) while dealing specifically with Deep Behavioral Inspection, a recent addition to the HIPS protection layer. Deep Behavioral Inspection, released early in 2019 with version 12.1 of ESET consumer solutions, includes new detection heuristics and enables an even deeper monitoring of unknown, suspicious processes.

As devices are undeniably getting smarter all the time, the question arises: Are we “smart” enough to derive maximum benefit from these devices without suffering repercussions? With 2019 ending, ESET experts offer their insights into how new innovations will impact our privacy, security and lives in the not so distant future.

At ESET, our engineers are old acquaintances of machine learning. We recognized its potential early on and employed it to help detect malware over 20 years ago. To this day, this symbiosis continues, with neural networks, deep learning, and classification algorithms being integral parts of the protective layers in ESET products and services. This white paper introduces the reader to decades of ESET experience with machine learning, emphasizing how the latest applications of this technology blend into ESET’s current home security solutions.

ESET researchers reveal their findings about Operation Ghost, newly-uncovered campaigns conducted by an APT group known as The Dukes since as far back as 2013. Our research shows that the Dukes has compromised government targets, including three European Ministries of Foreign Affairs and the Washington DC embassy of a European Union country, all without drawing attention to their activities.

This white paper provides a technical analysis of recent malware used by the Winnti Group. The group is well known for its supply-chain attacks and for compromising multiple high-profile targets – while staying under the radar for many months before they were found and disrupted. This analysis further refines our understanding of the group’s techniques and allows us to infer relationships between the different supply-chain incidents.

ESET researchers have discovered a previously unreported cyberespionage platform used in targeted attacks since at least 2013. Focusing on diplomatic missions and governmental institutions, Attor is designed specifically to attack privacy-concerned targets. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM devices.

Building on their earlier work on UEFI threats, ESET experts describe how they trained a machine-learning model to recognize a handful of unwanted UEFI components within a flood of millions of harmless samples. Besides showing strong capabilities in identifying suspicious UEFI executables, this system offers real-time monitoring of the UEFI landscape and was found to reduce the workload of ESET analysts by up to 90 percent.

This white paper presents ESET research into a new version of Machete, a cyberespionage toolset developed by a Spanish-speaking group that has been operating since at least 2010. ESET researchers have detected an ongoing, highly targeted campaign by the group, with a majority of its targets being government organizations in Latin America. In 2019, ESET has seen more than 50 computers compromised by Machete. More than 75% of the compromised computers were part of Venezuelan government organizations, including the military forces, education, police, and foreign affairs sectors.

In this white paper, we will take a deep technical look at this previously undocumented malware family and the other Ke3chang malware families detected from 2015 to 2019. We will provide evidence that the latter are evolved versions of known malware families attributed to Ke3chang group and explain how Okrum is linked to them – in terms of code, modus operandi and shared targets.