Eternity Malware Detection: Novel Modular MaaS
Table of contents:
While cybersecurity professionals are working hard to augment SOC operations with more scalable and innovative solutions, threat actors are also putting an effort not to be left to bring up the rear in this everlasting security race. Security researchers detect the surge in the numbers of malware-as-a-service (MaaS) offers, with its operators coming with new sophisticated distribution and propagation approaches. One of the most recent examples is a malware toolkit dubbed “Eternity Project” that can be obtained not only on dark markets but also by connecting with its distributors via their Telegram channel.
Threat actors are employing new сustomer-oriented services, such as a Telegram Bot that enables the buyers of the Eternity malware to tune their purchases to better correspond with their malicious intentions. The malware toolkit includes an Eternity stealer, worm, miner, clipper, ransomware, and a distributed denial-of-service (DDoS) bot. All purchase offers can be bought individually.
Detect Eternity Malware
For an efficient Eternity malware detection, use the Sigma rule below developed by the talented member of SOC Prime Threat Bounty Program, Osman Demir, to timely track a relevant suspicious activity in your system:
Suspicious Eternity Stealer Execution from Temp Folder (via cmdline)
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Devo, LimaCharlie, SentinelOne, Microsoft Defender ATP, CrowdStrike, Apache Kafka ksqlDB, AWS OpenSearch, Carbon Black, Securonix, and Open Distro.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059) as the primary technique.
See the full list of rules available in the Threat Detection Marketplace repository of SOC Prime’s platform to detect other possible system compromises. Adepts at cybersecurity are more than welcome to join the Threat Bounty program to share their Sigma rules with the community and get recurrent rewards.
View Detections Join Threat Bounty
Eternity Malware Description
The novel malware service tagged Eternity is gaining in popularity in a threat market. Cyble Research Labs’ experts reported on a recently surfaced Eternity Project’s malware they discovered on a TOR website, which is now sold via Telegram messaging service. The Telegram channel also offers product updates, an option to build the binary, and user support to Eternity malware operators-to-be. A multimodular malware toolkit includes six malware modules, with the prices starting at $90 for an Eternity Miner; the most costly item on offer is an Eternity Ransomware that is promised to encrypt all victim’s data, available for $490.
Eternity Malware analysis shows that this project runners are leveraging code from the existing GitHub repository, rebranding it to generate income. Analysts report that an infamous Jester Stealer malware used in phishing attacks against Ukraine in early May this year could have also been built on the mentioned code.
Join SOC Prime’s Detection as Code platform to unlock access to the world’s largest pool of detection content created by reputable experts in the field. Rest assured that you will not be missing out on any important updates since our SOC experts strive to publish all the latest detections, maintaining a swift response to the latest threats.