White Papers

86 reports

How I (could) have stolen your corporate secrets for $100

How I (could) have stolen your corporate secrets for $100

ESET researchers have found that core routers, the kind that are likely to be found in corporate networks, are often not wiped clean before they are decommissioned and offered for resale. This leaves critical and sensitive configuration data from the original owner or operator accessible to the purchaser and open to abuse.


Remote Desktop Protocol: Configuring remote access for a secure workforce

Remote Desktop Protocol: Configuring remote access for a secure workforce

In the past few years, ESET has seen a rising number of incidents in which attackers connected to Windows servers over the internet using RDP and logged on as administrators. This paper looks at how attacks misusing Remote Desktop Protocol (RDP) progressed throughout 2020 and 2021 and how organizations can defend themselves against RDP-borne attacks.


Under the hood of Wslink’s multilayered virtual machine

Under the hood of Wslink’s multilayered virtual machine

ESET researchers recently described Wslink, a unique and previously undocumented malicious loader that runs as a server and that features a virtual-machine-based obfuscator. In this white paper we describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through the obfuscation techniques used in the analyzed samples. We demonstrate our approach on chunks of code of the protected sample. We were not motivated to fully deobfuscate the code, because we discovered a non-obfuscated sample.


Jumping the air gap: 15 years of nation-state effort

Jumping the air gap: 15 years of nation-state effort

This white paper describes how malware frameworks targeting air-gapped networks operate and provides a side-by-side comparison of their most important TTPs. ESET researchers also propose a series of detection and mitigation techniques to protect air-gapped networks from the main techniques used by all the malicious frameworks publicly known to date.


FontOnLake: Previously unknown malware family targeting Linux

FontOnLake: Previously unknown malware family targeting Linux

ESET researchers have uncovered a previously unknown malware family that uses custom and well-designed modules to target Linux. Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect login credentials, and serve as a proxy server.


Anatomy of native IIS malware

Anatomy of native IIS malware

ESET research reveals a set of previously undocumented malware families that are implemented as malicious extensions for Internet Information Services (IIS) web server software. Taking aim mainly at government mailboxes and e-commerce transactions, this diverse class of threats operates by eavesdropping on and tampering with the server’s communications. Along with a complete breakdown of the newly-discovered malware families, this paper helps fellow security researchers and defenders detect, dissect and mitigate this class of server-side threats.


Ransomware: A look at the criminal art of malicious code, pressure, and manipulation

Ransomware: A look at the criminal art of malicious code, pressure, and manipulation

Ransomware is one of the most serious cyberthreats organizations are facing these days and cybercriminals are also constantly coming up with new approaches to ensure that they receive the demanded sum. This paper explains how this form of cyber-extortion has become such a major problem, what kinds of techniques ransomware gangs use, and suggests what your organization can do to reduce exposure to, and damage from, these attacks.


Gelsemium

Gelsemium

Since mid-2020, ESET Research has been analyzing multiple campaigns, later attributed to the Gelsemium group, and has tracked down the earliest version of their main malware, Gelsevirine, to 2014. During the investigation, ESET researchers found a new version of this backdoor, which is both complex and modular. Victims of the group's campaigns are located in East Asia and the Middle East and include governments, religious organizations, electronics manufacturers and universities. In this paper, ESET researchers dissect several cyberespionage campaigns of the generally quiet Gelsemium group.


Android stalkerware vulnerabilities

Android stalkerware vulnerabilities

Stalkerware apps allow the snoopers to remotely access and control the victims' devices, enabling them to snoop on the victims' communications, listen in on their phone calls, observe their habits, access their private files, steal their passwords and possibly blackmail them. These spying tools have been increasingly popular in recent years; in 2019, ESET saw almost five times more Android stalkerware detections than in 2018, and in 2020 there were 48% more than in 2019. In this research, ESET reveals how vulnerabilities in common Android stalkerware apps put victims at additional risks and even expose the privacy and security of the stalkers themselves.