Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...

We take a look at low, low subscription prices – not that we want to give anyone any ideas


A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

"Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary," the researchers wrote. "The [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies."

Malware sales and subscriptions are alive and well in the cybercriminal world, with popular malware types – from ransomware to DDoS and phishing programs, as illustrated by the detection of the Frappo phishing-as-a-service tool late last month – being peddled by developers. Some miscreants also are offering paths into compromised networks via stolen credentials or direct access.

With malware-as-a-service, the programmer has various opportunities to make money from their work. They can use their malware themselves to bag ill-gotten gains; bring in cash by leasing or selling the code; and charge for support and related services. At the same time, crooks who don't have the skills or time to develop their own malicious code can simply buy it from someone else.

"It's not talked about that commonly, but it's also not a surprise," Casey Ellis, founder and CTO of cybersecurity firm Bugcrowd, told The Register.

"This is one of many examples of a criminal enterprise taking cues from technology companies and business growth and increasing their customer value through feature flexibility and SaaS-like business models."

Budget prices

The list of malware that can be bought from the Eternity Project is extensive. For a $260 annual subscription, they can buy the Eternity Stealer, which can snaffle passwords, cookies, credit cards and cryptocurrency wallets from a victim's infected PC and send the info to a Telegram Bot. It can attack more than 20 kinds of browser, including Chrome, Edge and Firefox, plus password managers, VPN and FTP clients, gaming software, email clients, and messengers.

The Eternity Stealer exemplifies why individuals need to be aggressive in protecting their systems, according to Ron Bradley, vice president of third-party risk management vendor Shared Assessments.

"Web browsers and other tools not purpose-built for identity and password management are akin to using an umbrella in a hurricane," Bradley told The Register.

"The days of being cyber-complacent are over. Find and use a good password manager. Pay for the premium versions, which cost less than a cup of coffee and a bagel for a one-year subscription."

The Eternity Miner, which sells for $90 for an annual subscription and is used to siphon resources from compromised systems to mine for cryptocurrency, delivers the ability to hide from the computer's Task Manager, and to automatically restart it when it's been killed. Another cryptomining tool, the Eternity Clipper, is available for $110 and is used to monitor the clipboard of an infected system for mentions of cryptocurrency wallets and replace them with the fraudster's crypto-wallet addresses.

The ransomware can be had for $490 and not only can encrypt all data – documents, photos, and databases – but also can do so offline as it doesn't require a network connection. It uses AES and RSA encryption algorithm, and includes the option of a time limit for paying the ransom.

"If victims fail to pay the ransom within the time limit, the encrypted files can't be decrypted," the Cyble researchers wrote. "This is set as a default feature while compiling a ransomware binary."

There also is worm malware for $390 that spreads from system to system via USB and cloud drives, infected files, and network shares, and will send Telegram and Discord spam messages to channels and contacts to fool people into also downloading and running the thing. The DDoS bot is still being built, according to Cyble.

"We suspect the developer behind the Eternity project is leveraging code from the existing GitHub repository and then modifying and selling it under a new name," they wrote. "Our analysis also indicated that the Jester Stealer could also be rebranded from this particular Github project, which indicates some links between the two threat actors."

They also said they have seen a significant uptick in cybercrime on Telegram channels and dark-web forums. That doesn't surprise John Bambenek, principle threat hunter for cybersecurity vendor Netenrich.

"Threat actors have been shifting to Telegram channels," Bambenek told The Register.

"While it's new that you can use a Telegram bot to build or acquire commodity malware, it is just the latest path to market for commodity and low-end malware for the script kiddie crowd. From the prices they are charging, I wouldn't expect to see this often in enterprise attacks, but certainly attacks against consumers and SMBs who lack the tools to protect themselves from even basic threats would be the most frequent victims of these tools." ®

Broader topics


Other stories you might like

  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading

Biting the hand that feeds IT © 1998–2022