White Papers

This white paper presents ESET research into a new version of Machete, a cyberespionage toolset developed by a Spanish-speaking group that has been operating since at least 2010. ESET researchers have detected an ongoing, highly targeted campaign by the group, with a majority of its targets being government organizations in Latin America. In 2019, ESET has seen more than 50 computers compromised by Machete. More than 75% of the compromised computers were part of Venezuelan government organizations, including the military forces, education, police, and foreign affairs sectors.

In this white paper, we will take a deep technical look at this previously undocumented malware family and the other Ke3chang malware families detected from 2015 to 2019. We will provide evidence that the latter are evolved versions of known malware families attributed to Ke3chang group and explain how Okrum is linked to them – in terms of code, modus operandi and shared targets.

In this white paper, we present the analysis of LightNeuron, a backdoor specifically designed to target Microsoft Exchange mail servers. LightNeuron, which the cyberespionage group Turla is believed to have used since at least 2014, can spy on, modify or block any emails going through the compromised mail server, as well as execute commands sent by email.

While the idea of artificial intelligence (AI) and the real applications of machine learning (ML) have been influencing various fields for years now, their full transformative potential is yet to be realized. ML-based technologies increasingly help fight large-scale fraud, evaluate and optimize business processes, improve testing procedures and develop new solutions to existing problems. Like most innovations, however, even machine learning has drawbacks.

In this white paper, we will provide insight into the two most prevalent types of Android banking malware to date – sophisticated banking Trojans and fake banking apps – and compare their different approaches to achieving the same malicious goal.

At the same time, we will explore the impact of those approaches on potential victims.

Having identified the tactics of both categories, we will provide advice for users on how to stay safe

from Android banking malware.

The ESET Cybersecurity Barometer USA is a survey of public opinion about cybersecurity, cybercrime, and related privacy concerns in America. The survey was conducted because there is a lack of publicly funded research quantifying American public attitudes towards, and experience of, these critically important issues.

A little more than three years ago we started hunting for OpenSSH backdoors being used in-the-wild. While we are always trying to improve defenses against Linux malware by discovering and analyzing examples, the scope of this hunt was specifically to catch server-side OpenSSH backdoors. Unfortunately, telemetry on Linux malware is not as readily available as it is on other platforms. Nonetheless, malicious OpenSSH binaries are quite common and have features that help us detect them among legitimate OpenSSH binaries. While, as soon as we got them, we used the samples collected to improve our detection, we only began sorting and analyzing them in 2018. Surprisingly, we discovered many new backdoor families that had never been documented before.

The ESET Cybersecurity Barometer Canada is a survey of public opinion about cybersecurity and cybercrime. The survey was conducted because there is a dearth of contemporary research quantifying public attitudes toward, and experience of, cybercrime. Yet public support for cybersecurity efforts, including cybercrime deterrence, is critical to preserving the benefits of the digital technologies upon which we now rely.

The goals of this paper are to explain why ransomware is still a serious threat to your organization– regardless of size – and what your organization can do to reduce exposure to, and damage from, ransomware attacks. Three ransomware attack vectors are addressed in this order: remote access, email, and supply chain  Primarily intended for an executive audience, the paper should be helpful to CEOs, CIOs, CISOs, and risk managers.

ESET researchers have discovered and analyzed advanced malware, previously undocumented, that has been used in targeted attacks against critical infrastructure organizations in Central and Eastern Europe. The malware, named GreyEnergy by ESET researchers, exhibits many conceptual similarities with BlackEnergy, the malware used in attacks against the Ukrainian energy industry in December 2015

ESET researchers have discovered the first in-the-wild UEFI rootkit. Dubbed LoJax, the research team has shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe. The Sednit group is a resourceful APT group targeting people and organizations around the world. It has been in operation since at least 2004, using a wide range of malware families.

Turla, also known as Snake, is an espionage group notorious for having breached some heavily-protected networks. They have been busy attacking diplomats and military targets around the world. Among the notable victims were the Finnish Foreign Ministry in 2013 , the Swiss military firm RUAG between 2014 and 2016 and more recently, the German government at the end of 2017/beginning of 2018.

Artificial intelligence (AI) is almost an omnipresent topic these days. It is the centerpiece of sales pitches, it “powers” various online services and is mentioned in regard to almost any new product seeking investors.

Using remote access tools Quasar, Sobaken and Vermin, cybercriminals have been systematically spying on Ukrainian government institutions and exfiltrating data from their systems. The threat actors, first mentioned in a report from January 2018 and tracked by ESET since mid-2017, continue to develop new versions of their stealthy malware.

Microsoft Windows XP is perhaps Microsoft’s most-storied operating system.  Released in 2001, just a year after the release of Microsoft Windows 2000, it was meant to fix Microsoft’s cycle of releasing separate operating systems for consumers—based on Windows 95— and operating systems for enterprises—based on Windows NT—with a single unified operating system for use by everyone.

Combining the reliability of the Windows NT kernel with the multimedia subsystem of Windows 9x, it would be equally usable whether at work or at play. So, how well did Microsoft execute on this vision from so long ago? In April 2014, Windows XP was installed on about 30% of our customers’ desktop computers. As of March 2018, Windows XP accounts is installed on about 5,5% of those systems.

While this may seem like a small percentage, it is 10 times the number of computers running Windows XP’s successor, Windows Vista, which today accounts for a mere sub-1% of usage.

OceanLotus continues its activity particularly targeting company and government networks in East-Asian countries. A few months ago, we discovered and analyzed one of their latest backdoors. Several tricks are being used to convince the user to execute the backdoor, to slow down its analysis and to avoid detection. These techniques will be discussed in detail in this white paper.

In 2017, cryptocurrencies became a booming industry, attracting the attention of not only new users, but also cybercriminals. As the fraudsters came rushing to the newly crowded cryptocurrency space, users, businesses, and exchanges have found themselves the target of various fraud schemes – from phishing scams, through hacks, to surreptitious crypto-mining on compromised devices and, as of late 2017, via browsers.

Cybercrime targeting cryptocurrency has recently become so rampant that regulators have issued multiple warnings on cryptocurrency scams; Facebook banned all cryptocurrency ads on its platform; and insurers have started to offer protection against cryptocurrency theft.

The Internet of Things (IoT) has become a globally recognized term in workplaces and homes, and in a literal sense could be used to describe anything that is connected to the internet. However, if you ask what sort of devices are included in the IoT, then you are likely to get differing answers with respondents describing the devices they have come into contact with, or know about.

Malware writers have also begun to use more sophisticated methods to spread their infected apps  To avoid the unwanted attention, attackers have started to encrypt malicious payloads, burying them deeper in the application – often moving them to the assets folder, typically used for pictures or other necessary contents