Sinister Eternity Malware Kit Is Being Sold On Telegram With Malicious Options Galore
Lately, cybercriminals have been using Telegram to sell malware and other malicious tools as a service. Last month we reported on a Telegram bot that makes automatic phone calls to steal multi-factor authentication (MFA) codes. The Telegram bot gives bad actors an easy-to-use interface for placing scam phone calls and receiving stolen authentication codes. Scammers can access the bot by paying its developers a subscription fee. Now cybersecurity researchers at Cyble Research Labs are raising awareness about a similar, but even more sinister, malicious Telegram service.
The researchers first discovered a TOR website providing details about a toolkit containing different types of malware. The toolkit is known as Eternity Project and is associated with a Telegram channel, where the project’s developers sell annual subscriptions to six different kinds of malware. The toolkit includes the following malware:
The researchers first discovered a TOR website providing details about a toolkit containing different types of malware. The toolkit is known as Eternity Project and is associated with a Telegram channel, where the project’s developers sell annual subscriptions to six different kinds of malware. The toolkit includes the following malware:
- Eternity Stealer: steals passwords, cookies, credit cards, and crypto-wallets
- Eternity Miner: quietly mines cryptocurrency while staying hidden
- Eternity Clipper: replaces cryptocurrency wallet addresses in clipboard with threat actors’ wallet addresses in order to redirect funds
- Eternity Ransomware: encrypts all files until a ransom is paid or a timer runs out
- Eternity Worm: a virus that spreads by way of USB drives, files, networks, and Discord and Telegram messages
- Eternity DDoS Bot: still under development, but will presumably infect systems to form a botnet suitable for carrying out distributed denial of service (DDoS) attacks.
Individuals who purchase access to one or more of the malware in the Eternity Project toolkit will gain access to a Telegram bot that helps buyers create a malware build that will suit their preferences. Buyers can select the type of malware, then select from a number of options and input any required files or information. The screenshot above shows the build process for Eternity Stealer. The Telegram bot asks the user to upload an executable file so the malware can mimic a legitimate program. Once the user inputs all the requested information, the Telegram bot generates a custom tailored build of the selected malware.
A video posted by the developers shows all major antivirus programs, including Windows Defender, failing to detect a build of Eternity Ransomware as malware. However, the video could simply be a marketing ploy, with the scanned file actually containing no malware at all. The researchers at Cyble said they haven’t yet examined all the malware modules in detail, so we can’t yet confirm whether the malware is undetectable, as the developers claim. However, the researchers were able to confirm that malware from the Eternity Project toolkit is circulating in the wild, which is still worrying regardless of whether the malware is fully undetectable.
Somewhat humorously, the developers of Eternity Project claim that their main servers are located in Ukraine and have posted threats, warning buyers not to distribute the malware in Ukraine. Developers helping to unleash a full suite of malware on the world are most likely fooling themselves if they think they can keep said malware out of a country actively engaged in cyberwarfare.
Somewhat humorously, the developers of Eternity Project claim that their main servers are located in Ukraine and have posted threats, warning buyers not to distribute the malware in Ukraine. Developers helping to unleash a full suite of malware on the world are most likely fooling themselves if they think they can keep said malware out of a country actively engaged in cyberwarfare.
