Threat Actors Use Telegram to Spread ‘Eternity’ Malware-as-a-Service

An account promoting the project—which offers a range of threat activity from info-stealing to crypto-mining to ransomware as individual modules—has more than 500 subscribers.

Cybercriminals are promoting a new, modular malware-as-a-service offering that allows would-be attackers to choose from a cornucopia of threats via a Telegram channel that to date has more than 500 subscribers, researchers have found.

The new malware service, dubbed the Eternity Project by the threat actors behind it, allows cybercriminals to target potential victims with a customized threat offering based on individual modules they can buy for prices ranging from $90 to $490, researchers from security firm Cyble wrote in a blog post published Thursday.

The modules include a stealer, clipper, worm, miner and ransomware, depending on what type of attack a threat actors wants to mount, according to the post. Developers behind the project also are working on a future module that offers distributed denial of service (DDoS) bots.
Infosec Insiders Newsletter

Eternity—which researchers discovered on a TOR website, where the malware-as-a-service also is for sale—demonstrates the “significant increase in cybercrime through Telegram channels and cybercrime forums,” researchers wrote in the post. This is likely because threat actors can sell their products without any regulation, they said.

Each module is sold individually and has different functionality that researchers suspect is being repurposed from code in an existing  Github repository, which project developers are then modifying and selling under a new name, according to Cyble.

“Our analysis also indicated that the Jester Stealer could also be rebranded from this particular Github project which indicates some links between the two threat actors,” they wrote.

Specific Modules and Functionality

Threat actors are selling the Eternity Stealer for $260 as an annual subscription. The module steals passwords, cookies, credit cards and crypto-wallets from various applications—such as all the most popular browsers, messaging apps and cryptocurrency wallets—on the victim’s machine and sends them to the threat actor’s Telegram Bot.

The Eternity Miner, a malicious program that uses the infected device to mine cryptocurrency, sells for $90 for an annual subscription. Features of the miner include a small file size; silent Monero mining; the ability to restart when killed; and the ability to remain hidden from the task manager, researchers wrote.

The Eternity Clipper–malware that monitors the clipboard of an infected machine for cryptocurrency wallets and replaces them with the threat actor’s crypto-wallet addresses–is being sold for $110. The malware, like the miner, also can hide from the task manager, as well as includes other features.

The Eternity Ransomware—the most expensive of the offerings—sells for $490 and offers encryption of all documents, photos and databases on disks, local shares and USB drives both online and offline. Attackers can set a time limit after which the files cannot be decrypted and can set the ransomware to execute on a specific date, among other features.

Threat actors are selling the Eternity Worm, a virus that spreads through infected machines via files and networks, for $390. Features of the worm include its ability to spread through the following: USB Drives, local network shares, various local files, cloud drives such as GoogleDrive or DropBox, and others. It also can send worm-infected messages to people’s Discord and Telegram channels and friends, researchers said.

As mentioned before, developers are currently working on another module to offer DDoS bots as a service, though researchers did not specific a time frame for its availability.

Proceed with Caution

The existence of Eternity and its ability to offer cyber-crime options to the masses should be a cautionary tale to web users never to save credentials on a machine, lest the information falls into the wrong hands, one security professional noted.

“Seriously, when your browser asks you to allow it to remember your credentials, your answer should always be ‘no, or never,'” Ron Bradley, vice president at Shared Assessments, wrote in an email to Threatpost.Unfortunately, browser manufacturers have duped users into a sense of security by allowing them to remember sensitive information including passwords, credit cards, addresses, etc. without regard to the risk they are taking.”

People should work on the assumption that their credentials have already been compromised rather than feeling a false sense of safety with saving sensitive data to a machine, and take steps to protect private information that reflects this assumption, he said.

“Above all else, use multiple layers of defense,” Bradley observed. “Like it or not, we’re at war when it comes to protecting our private information. Protective gear and defensive weapons are not optional in this day and age.”

Suggested articles