White Papers
Marketplace scams: Neanderthals hunting Mammoths with Telekopye
Marketplace scams: Neanderthals hunting Mammoths with Telekopye
This paper looks under the hood of scams that leverage Telekopye, a toolkit that ESET Research discovered in 2023 and that can turn online marketplace scams into an organized illicit business. Dozens of groups with up to thousands of members each use Telekopye every day to steal millions from their victims. The paper also includes findings about the latest scam scenarios and how Telekopye groups have expanded their targeting to popular accommodation booking platforms, such as Booking.com and Airbnb.
CeranaKeeper: A relentless, shape-shifting group targeting Thailand
CeranaKeeper: A relentless, shape-shifting group targeting Thailand
In 2023, ESET researchers observed several campaigns that targeted governmental institutions in Thailand and were carried out by a China-aligned cyberespionage group that ESET calls CeranaKeeper. This paper describes the different methods that CeranaKeeper uses to gain access and move laterally to further compromise the entire network of a target. Also, it discusses the single-use tools CeranaKeeper has delivered to backdoored systems and used to exfiltrate gigabytes of data. Finally, with the knowledge gathered, we provide our take on attributing this series of attacks.
Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023
Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023
This white paper provides a technical analysis of the toolset used by the Gamaredon APT group to conduct its cyberespionage activities in 2022 and 2023, or since the war in Ukraine escalated in February 2022. This Russia-aligned group has been active since at least 2013 and is currently the most active threat actor in Ukraine, focusing mainly on the country’s governmental institutions, as evidenced over time by ESET telemetry, in several reports from CERT-UA, and from other official Ukrainian bodies.
Ebury is alive but unseen
Ebury is alive but unseen
ESET Research publishes a deep-dive investigation into one of the most advanced server-side malware campaigns, which is still growing and has seen hundreds of thousands of compromised servers in its at least 15-year-long operation. Among the activities of the infamous Ebury group and botnet over the years has been the spread of spam, web traffic redirections, and credential stealing. In recent years it has diversified to credit card and cryptocurrency theft. Additionally, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD, and OpenBSD servers; more than 100,000 were still compromised as of late 2023.
How I (could) have stolen your corporate secrets for $100
How I (could) have stolen your corporate secrets for $100
ESET researchers have found that core routers, the kind that are likely to be found in corporate networks, are often not wiped clean before they are decommissioned and offered for resale. This leaves critical and sensitive configuration data from the original owner or operator accessible to the purchaser and open to abuse.
Remote Desktop Protocol: Configuring remote access for a secure workforce
Remote Desktop Protocol: Configuring remote access for a secure workforce
In the past few years, ESET has seen a rising number of incidents in which attackers connected to Windows servers over the internet using RDP and logged on as administrators. This paper looks at how attacks misusing Remote Desktop Protocol (RDP) progressed throughout 2020 and 2021 and how organizations can defend themselves against RDP-borne attacks.
Under the hood of Wslink’s multilayered virtual machine
Under the hood of Wslink’s multilayered virtual machine
ESET researchers recently described Wslink, a unique and previously undocumented malicious loader that runs as a server and that features a virtual-machine-based obfuscator. In this white paper we describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through the obfuscation techniques used in the analyzed samples. We demonstrate our approach on chunks of code of the protected sample. We were not motivated to fully deobfuscate the code, because we discovered a non-obfuscated sample.
Jumping the air gap: 15 years of nation-state effort
Jumping the air gap: 15 years of nation-state effort
This white paper describes how malware frameworks targeting air-gapped networks operate and provides a side-by-side comparison of their most important TTPs. ESET researchers also propose a series of detection and mitigation techniques to protect air-gapped networks from the main techniques used by all the malicious frameworks publicly known to date.
FontOnLake: Previously unknown malware family targeting Linux
FontOnLake: Previously unknown malware family targeting Linux
ESET researchers have uncovered a previously unknown malware family that uses custom and well-designed modules to target Linux. Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect login credentials, and serve as a proxy server.