An unknown threat actor is selling a new malware toolkit called Eternity Project. Cybercriminals can buy stealers, clippers, worms, miners, ransomware, and DDoS Bots for a few hundred dollars each. What’s most notable about this malware-as-a-service (MaaS) is that in addition to being available on a TOR website, the hacker behind it is brazenly promoting it on a Telegram channel with videos featuring product updates and how-to videos. 

How was the Eternity Project discovered?

Researchers from Cyble Research Labs first discovered the Eternity Project on a TOR website while carrying out routine threat hunting activities. As they continued to investigate the threat, they uncovered the related Telegram channel that, at the time, already had 500 subscribers. The hacker or hacking group offering up Eternity Project has released several malware updates, suggesting they are actively invested in improving it. 

Additional concern is warranted as anyone who buys the malware can build and customize the binary using the associated Telegram Bot, enabling criminals to create binaries without dependencies.

The malware kit and its origins

Due to some similarities, the researchers believe that the actor behind the Eternity Project has repurposed and modified existing code from DynamicStealer, which is also accessible on Github. Since the malware Jester Stealer uses the same Github repository, the hackers behind both may be linked somehow. 

Criminals can lease access to any of the five modules for an annual fee: 

• From a target’s machine, the Eternity Stealer ($260) can siphon credit cards, passwords, cookies, crypto extensions and wallets, email apps, and VPN clients, sending the information to the Telegram Bot. 
• The Eternity Miner ($90) mines cryptocurrency using a compromised machine’s computing resources. 
• Hackers can use the Eternity Clipper ($110) to steal cryptocurrency during a transaction by substituting their wallet address with the victim’s saved in the clipboard. 
• The Eternity Ransomware ($490) is an executable that encrypts a victim’s files, holding them for a ransom payment.
• The Eternity Worm ($390) spreads through local files, local network shares, cloud drives, USB drives, Python projects, and Discord and Telegram accounts. 
• The threat actors have indicated that they are currently developing a DDoS Bot, but there is no set release date or price announced yet. 

What are the potential effects?

Because they lack regulation, Telegram channels are emerging as a go-to place for criminals who want to sell or buy malware. Given that these latest toolkits come with detailed information, customer support, and bots that make attacks easy to build and customize, they appeal to professional and amateur cybercriminals, expanding the pool of threat actors who can wreak havoc without needing to have any advanced skills. 

CYREBRO recommendations for maintaining security

In the face of so many emerging threats, businesses and their employees must take steps to protect themselves and remain vigilant, especially as now even criminals with minimal skills can launch devastating attacks. 

As noted by CYREBROs Threat Intelligence Analyst Ziv Nachman: 

“This is a service-providing group that seems to rely on open-source malware, for the most part, which isn’t actually new. What is new and interesting is the distribution model – that it’s being sold on telegram. Previously, the main way of distribution was through places like Tor sites, but now we are seeing a growing shift towards easily accessible mainstream and legitimate platforms like Telegram, Snapchat, and Discord, all of which have a corporation that protects and secures messages, ultimately enabling cybercriminals to hide in plain sight.” 

Our advice is to make sure you continually monitor your entire IT environment with the proper set of tools. Of course, your security and IT team should consistently follow cybersecurity best practices, take every available opportunity to harden your security posture, and prioritize patch management. Since non-security professionals are often the most susceptible, holding routine security awareness training is vital.