“Eternity” Organization: A Continuously Active Commercial Arsenal

1.Overview

In May 2022, Antiy CERT released the report “The Active Jester Stealer Trojan and the Hacking Gang Behind It” [1], which not only analyzed a malicious sample that released both the Trojan Stealer and the Clipboard hijacker. An active Jester hacking ring was also mentioned.

The Jester hacking ring has been active since July 2021, mainly profiting from the sale of different types of malicious code it developed, such as stolen Trojans, clipboard hijackers and botnets. In February 2022, the hacker group said it was blocked by forums around the country due to the number of counterfeiters, so it decided to change its name to Eterity (the name is used later). At present, the hacker group has formed a certain scale, has several members, and can modify the malicious code developed by the hacker group according to the feedback of the purchasers, and add new functions. And began selling more types of malicious code, such as ransomware and worms, creating a MaaS (malware as a service) operating model that poses a threat to users’ devices and data security.

In this report, in addition to introducing more about the hacker gang, Antiy CERT will also provide a detailed analysis of the worms and ransomware it has developed to help users understand its malicious capabilities for better protection. It has been proved that the Antiy IEP can effectively detect and kill the malicious code developed by the hacker group.

2.ATT&CK Mapping Map of Event

Technical characteristics distribution map corresponding to the event:

Figure 2-1 Mapping of Technical Features to ATT&CK

Specific ATT & CK technical behavior description table:

Table 2-1 ATT&CK Technical Behavior Description Table

ATT&CK stages / categoriesSpecific behaviorNotes
Initial accessPhishingPhishing transmission
ExecutionUsing command and script interpretersExecutive scripting language
ExecutionInducing the user to executeInducing the user to execute
PersistenceTampering with the client softwareTampering with the client software
PersistenceExecution process hijackingExecution process hijacking
PersistenceUtilization of planned tasks / jobsCreate a scheduled task
Defensive evasionExecution process hijackingExecution process hijacking
Defensive evasionTo weaken the defense mechanismEnd process management tool
Credential AccessStealing Web Session CookieStealing Web Session Cookie
FindingsFind files and directoriesFind files and directories
FindingsDiscover the geographical location of the systemDiscover the geographical location of the system
Command and controlThe application layer protocol is usedUse the HTTP protocol
ImpactData encryption with adverse effectsTo encrypt a file
ImpactTampering with the visible contentModify a partial file icon
ImpactDisable system recoveryDelete system restore points and shadow

3.Recommendations for protection

In order to effectively defend such malicious codes and improve the level of security protection, Antiy suggests the enterprise take the following protection measures:

3.1 Terminal protection

  1. Install the terminal protection system: Install the anti-virus software, and it is recommended to install the terminal protection system of Antiy IEP;
  2. Strengthen password strength: Avoid using weak passwords, recommend using 16-digit or longer passwords, including combinations of upper and lower case letters, numbers and symbols, and avoid using the same password for multiple servers;
  3. Deployment of Intrusion Detection System (IDS): Deployment of traffic monitoring software or equipment to facilitate the discovery, tracing and tracing of malicious codes. Taking network traffic as the detection and analysis object, the Antiy PTD can accurately detect a mass of known malicious codes and network attack activities, and effectively detect suspicious behaviors, assets and various unknown threats on the network;

3.2 Protection of website dissemination

  1. It is recommended to use the genuine software downloaded from the official website. If there is no official website, it is suggested to download from a trusted source, and scan it with anti-virus software after downloading;
  2. It is recommended to use the sandbox environment to execute the suspicious files, and then use the host to execute the files with security. Based on the combination of deep static analysis and dynamic loading of sandbox, the PTA can effectively detect, analyze and identify all kinds of known and unknown threats.

3.3 Timely initiate emergency response in case of attack

  1. Contact the emergency response team: In case of malware attack, it is suggested to isolate the attacked host in time, protect the site and wait for the security engineer to check the computer; Antiy 7 * 24 service hotline: 400-840-9234.

It has been proved that the Antiy IEP can effectively detect and kill such malicious software as the secret Trojan and mining program.

Figure 3-1 Antiy IEP provides effective protection for user terminals ‑ 

4.Correlation analysis

4.1 Formation of hacker gangs

According to the public information released by the gang in the Telegram channel and other locations, and the Github address used for downloading the payload in Jester Stealer, the main members and channel information of the gang can be summarized as follows.

4.1.1 Gang members

Table 4-1 Eternity Members ‑

Early membersEternitydeveloperTherealdrkust0mPrincipe DiBeler 
MembersLightm4n Github: L1ghtm4nUserpro9 (invalid user name)SavethekiddesMalwarecompany
Customer serviceUser2speedbotEternitydealerEternityteams (invalid user name) 

Among them, LightM4n’s Github information is as follows, which shows that the user has some knowledge of malicious code development.

Figure 4-1 Github information for a member ‑

4.1.2 Message channel

The organization has opened a number of channels for malware sales, related channels are as follows.

Table 4-2 Eternity related message channels ‑ 

FunctionsMain channelMalware salesUser commentsNewsUser feedback
ChannelJesterlabEternitymalwareteamEternityreviewsEternitymalwarereEternityupdaterequests

4.1.3 Region attribute

The malicious software developed by the hacker group currently bypasses the equipment whose system language is Ukrainian, and there are many related remarks in the log text of the malicious code and the notification channel of the hacker group. So presumably its core members are from Ukraine. Some of the information is as follows.

Figure 4-2 Related information in the channel ‑

4.2 Introduction to Malware

There are many kinds of malicious software that are actively maintained and operated by Eternity. they include secret Trojan, mining program, clipboard hijacker, ransomware, worm propagator, etc., and DDoS program is in the development stage. No sale has been made.

Figure 4-3 Eternitysite navigation page ‑ 

There are also texts, videos and links to buy the aforementioned malware.

Figure 4-4 Malicious Code Introduction Page for Eterness Web Site ‑ 

The gang will also investigate subsequent malware developments through voting and other means. It can be seen that the organization has formed a certain commercial sales mode in combination with its customer service account, establishment of Telegram channels with different functions and establishment of websites.

Figure 4-5: Voting in Channel 45 ‑

5.Sample analysis

5.1 Analysis of Eternity Worms

Table 5-1 Worm Sample Label ‑

Virus nameTrojan [Worm] / Win32.Eternity
Original file nameEternityworm. exe
Md580094cdfc9743ea1e4decfe916105b76
Processor architectureIntel 386 or later, and compatibles
File size1.29 MB (1,355,264 bytes)
File formatBinexecute / Microsoft.EXE [: X32]
Time stamp2054-12-14 07: 46: 01 UTC (forged)
Digital signatureNone
Shell typeNone
Compiled Language.net
Vt First Upload Time2022-10-19 02: 30: 02 UTC
Vt test result60 / 71

Check whether the language of the system is Ukrainian, if so, then directly exit the procedure no longer executed.

Figure 5-1 Language area of detection system ‑

Create mutex “lpgdntaivz” to avoid repeated execution.

Figure 5-2 Creating a Mutex ‑

Download and execute the ransomware.

Figure 5-3 Download and execute ransomware ‑

The worm is subsequently infected and transmitted by various means.

  • Automatically Send Telegram Fishing Messages

Download the Telegram propagation module.

Figure 5-4 Download the Telegram propagation module ‑

This module is a Python program packaged by PyInstaller, and the function is to send phishing content by using the account logged in by the Telegram client in the victim’s system, and induce the victim’s Telegram contact to download malicious programs.

Figure 5-5 Propagation through Telegram ‑

  • Automatically send Discord Fishing Messages

Get the channel that users follow from the Discord client installed by the victim (a group chat that can receive and send messages).

Figure 5-6 Getting the Discord channel ‑

Send a phishing message to the obtained Discord channel to induce channel members to download a malicious program.

Figure 5-7 Sending a Discord Fishing Message ‑

  • Infected Python Standard Library

Infect the os .py in the Python standard library, and implant the downloader code into it.

Figure 5-8 Infecting a Python library ‑

  • Infect local files

Replace the files with extensions such as exe, pdf, docx, xlsx, bat, txt, mp3, mp4, py, png, pyw and jar in the folders of “desktop,” “picture” and “document” of the current user with malicious programs.

Figure 5-9 Infecting a Local File ‑

Replace the files in the zip package.

Figure 5-10 Infects a File in a Zip Package ‑

Carry out the above infection treatment on removable disks and fixed disks (local disks) other than disk C.

Figure 5-11 Infected disk file ‑

Finally, the default synchronization folder of the network drive and Dropbox, OneDrive and Google disk is infected.

Figure 5-12 Infects Network Drives ‑

The configuration information of the above functions is as follows.

Figure 5-13 Worm program configuration information ‑

5.2 Analysis of Eternity’s Released Ransomware

Table 5-2 Labels for Ransomware Samples ‑

Virus nameTrojan [Ransom] / Win32.Eternity
Original file nameEternity.exe
Md527063953e8334bc1d395274a3ff8e66f
Processor architectureIntel 386 or later, and compatibles
File size111.00 KB (113,664 Bytes)
File formatBinexecute / Microsoft.EXE [: X32]
Time stamp2103-10-13 03: 19: 28 UTC (forged)
Digital signatureNone
Shell typeNone
Compiled Language.net
Vt First Upload Time2022-10-19 02: 27: 27 UTC
Vt test result51 / 68

The ransom note for Eternity’s ransomware looks like this.

Figure 5-14 Format of a ransom note ‑

Check whether the language of the system is Ukrainian, if so, then directly exit the procedure no longer executed.

Figure 5-15 Check system language region ‑

Create a mutex “wsrciuxcaz” to avoid repeated execution.

Figure 5-16: Mutex Creation ‑

Copy itself to the% LocalAppdata%\ ServiceHub\ folder and schedule tasks to be executed once per minute.

Figure 5-17 Establish a scheduled task persistence ‑

Disable the task manager of the system through the registry to prevent users from viewing the system process.

Figure 5-18 Disable the Task Manager ‑

The creation thread continues to detect and end the presence of specific process management, process monitoring, system management software processes in the system.

Figure 5-19 Finds Part of the tool process ‑

Delete the System Restore Point.

Figure 5-20 Delete the system restore point ‑

Delete a volume shadow backup.

Figure 5-21 Deletion of shadow backup ‑

Double-click startup of the. exe program in the registry hijack explorer by modifying the double-click startup, so that the ransomware program is started when the user starts. exe.

Figure 5-22 Hijack the startup of the exe file in the explorer ‑

Generate a random AES key, encrypt it with the built-in RSA public key, and store it in the registry HKCU\ Software\ Firefox\ EncryptedKeys.

Figure 5-23 generates the key and stores it in the registry ‑

Use AES algorithm to encrypt the file and use Deflate compression to write back to the original file.

Figure 5-24 Encrypts the file ‑

The encrypted file extension is. “.ecrp,” and the configuration information is as follows.

Figure 5-25 Ransomware configuration information ‑

6.Summary

In addition to the traditional function of local file infection, Eternity Worm also has a variety of functions depending on the public website of the Internet. Once the worm lands, it can also automatically download other malicious programs such as ransomware and execute them, which poses a great threat to the security of the user system. After more than a year’s development, the Eternity hacker group behind it has become a hacker group with a certain scale.

Antiy CERT will continue to track the relevant technical changes and characteristics of the hacker gang, and provide corresponding solutions. The Terminal Defense System (IEP) not only has the functions of virus detection and killing, active defense and other functions, but also provides the capabilities of terminal control and network control, which can effectively defend against such threats and protect user data security.

7.IoCs

80094cdfc9743ea1e4decfe916105b76
27063953e8334bc1d395274a3ff8e66f
Http [:] / / 111.90.151 [.] 174: 7777 / Ransomwork.exe
Http [:] / / 111.90.151 [.] 174: 7777 / Ransomware.exe

Appendix: Reference

[1] An Analysis of the Active Jester Stealer Trojan Horse and the Hacker Gang Behind It

https: / / www.antiy.cn / research / notice & report / research _ report / 20220510.html

[2] Lilith botnet and the Jester hacker gang behind it follow-up analysis

https://www.antiy.cn/research/notice&report/research_report/20220902.html