An unknown threat actor has been identified as the developer of a malware toolkit called the “Eternity Project”. The malware allows professional and amateur cybercriminals to buy stealers, clippers, worms, miners, ransomware, and a distributed denial-of-service (DDoS) bot.
The malware-as-a-service(MaaS) is unique because it not only uses a Telegram channel to communicate updates about the latest features but also uses a Telegram Bot to allow purchasers to build the binary.
“The [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies,” researchers from Cyble said in a report published last week.
Each of the modules is offered separately and allows access to a range of functions –
- Eternity Stealer ($260 for an annual subscription) – Steal passwords, cookies, credit cards, browser cryptocurrency extensions, crypto wallets, VPN clients, and email apps from a victim’s machine and sends them to the Telegram Bot
- Eternity Miner ($90 as an annual subscription) – Exploit the computing resources of an affected machine to mine cryptocurrency
- Eternity Clipper ($110) – A crypto-clipping program that steals cryptocurrency by substituting the original wallet address saved in the clipboard with the attacker’s wallet address.
- Eternity Ransomware ($490) – A 130kb ransomware executable to encrypt all of the users’ files until a ransom is paid
- Eternity Worm ($390) – A malware that propagates through USB Drives, local network shares, local files as well as via spam messages broadcasted on Discord and Telegram.
- Eternity DDoS Bot (N/A) – The feature is said to be currently under development.
Cyble drew attention to redesigning existing codes relating to DynamicStealer by malware authors; the code is available on GitHub and trading under a new moniker for profit.
Jester Stealer, another malware uncovered in February 2022 and has been used in phishing attacks against Ukraine, uses the same GitHub repository for downloading TOR proxies, suggesting a possible link between the two threat actors.
The cybersecurity firm also said it “has observed a significant increase in cybercrime through Telegram channels and cybercrime forums where [threat actors] sell their products without any regulation.”
Last week, BlackBerry exposed the inner workings of a remote access trojan called DCRat (aka DarkCrystal RAT) that’s available for sale at cheap prices on Russian hacking forums and uses a Telegram channel for sharing details regarding software and plugin updates.