Cyber-criminals are promoting a new, modular malware-as-a-service offering that allows would-be attackers to choose from a number of threats via a Telegram channel that so far has more than 500 subscribers, researchers have found.
An account promoting the project which offers a range of threat activity from info-stealing to crypto-mining to ransomware as individual modules—has over 500 subscribers.
The new malware service, named the ‘Eternity Project’ by the threat players behind it, allows cyber-criminals to target potential victims with a customised threat product based on individual modules they can buy for prices from $90-$490, researchers from security firm Cyble wrote in a blog post published Thur.
The modules include a stealer, clipper, worm, miner & ransomware, depending on what type of attack a threat players wants to mount, revealed the post. Developers behind the project also are working on a future module that offers distributed denial of service (DDoS) bots.
Eternity—which researchers discovered on a TOR website, where the malware-as-a-service also is for sale—demonstrates the “significant increase in cyber-crime through Telegram channels & cyber-crime forums,” researchers wrote. This is likely because threat players can sell their products without any regulation, they stated.
Each module is sold individually & has different functionality that researchers suspect is being repurposed from code in an existing Github repository, which project developers are then modifying & selling under a new name, according to Cyble.
“Our analysis also indicated that the Jester Stealer could also be rebranded from this particular Github project which indicates some links between the 2 threat actors,” they wrote.
Specific Modules & Functionality
Threat players are selling the Eternity Stealer for $260 as an annual subscription. The module steals passwords, cookies, credit cards & crypto wallets from various applications, such as all the most popular browsers, messaging apps & cryptocurrency wallets on the victim’s machine & sends them to the threat player’s Telegram Bot.
The Eternity Miner, a malicious program that uses the infected device to mine cryptocurrency, sells for $90 for an annual subscription. Features of the miner include a small file size; silent Monero mining; the ability to restart when killed; & the ability to remain hidden from the task manager, researchers wrote.
The Eternity Clipper–malware that monitors the clipboard of an infected machine for cryptocurrency wallets & replaces them with the threat player’s crypto-wallet addresses is being sold for $110. The malware, like the miner, also can hide from the task manager, as well as includes other features.
The Eternity Ransomware, the most expensive of their products sells at $490 & offers encryption of all documents, photos & databases on disks, local shares & USB drives both online & offline. Attackers can set a time-limit after which the files cannot be decrypted & can set the ransomware to execute on a specific date, among other features.
Threat players are selling the Eternity Worm, a virus that spreads through infected machines via files & networks, for $390. Features of the worm include its ability to spread through the following: USB Drives, local network shares, various local files, cloud drives such as Google Drive or DropBox etc.
It also can send worm-infected messages to people’s Discord & Telegram channels & friends, researchers observed.
As mentioned, developers are currently working on another module to offer DDoS bots as a service, though researchers did not specific a time frame for its availability.
Proceed with Caution
The existence of Eternity & its ability to offer cyber-crime options to the masses should be a cautionary tale to web users never to save credentials on a machine, lest the information falls into the wrong hands, a security professional noted.
“Seriously, when your browser asks you to allow it to remember your credentials, your answer should always be ‘no, or never,’” Ron Bradley, VP at Shared Assessments, recommended. “Unfortunately, browser manufacturers have duped users into a sense of security by allowing them to remember sensitive information including passwords, credit cards, addresses, etc. without regard to the risk they are taking.”
Work on the assumption that their credentials have already been compromised rather than feeling a false sense of safety with saving sensitive data to a machine & take steps to protect confidential information that reflects this assumption, he commented.
“Above all else, use multiple layers of defence,” Bradley observed. “Like it or not, we are at war when it comes to protecting our confidential information. Protective gear & defensive weapons are not optional in this day & age.”