Researchers: Rishika Desai, Anandeshwar Unnikrishnan

Category:

Adversary Intelligence

Industry:

Multiple

Motivation:

Financial

Region:

Global

Source:

Executive Summary

THREAT	IMPACT	MITIGATION
A financially motivated threat actor group, called Eternity, is actively selling worms, stealers, DDoS tools, and ransomware builders.	Threat actors and campaigns can use these services to gain initial foothold, leverage privileges, exfiltrate data, encrypt against ransom amounts, execute sophisticated social engineering attacks, or maintain persistence.	Reset the compromised user login credentials and implement a strong password policy for all user accounts. Implement security configurations on network infrastructure devices such as firewalls and routers.

CloudSEK’s contextual AI digital risk platform XVigil discovered a financially motivated threat actor group, dubbed Eternity, actively operating on the internet, selling worms, stealers, DDoS tools, and ransomware builders.

L1ghtM4n is suspected to be one of the operators of Eternity Teams

Timeline of Eternity Ransomware Group

The activities of the original operators of the Eternity ransomware group can be traced back to a couple of years when they were actively operating under different names(Vulturi Stealer, Jester Malware, etc) on multiple forums. However the original threat actor operates on GitHub under the name of ‘L1ghtM4n’, which can be interpreted as ‘LightMan’. The Github repository maintained by this actor, features various projects. Based on the activity of L1ghtM4n, CloudSEK researchers have mapped out the activities leading to the development of the Eternity Malware.

Analysis

The ransomware group Eternity is active on multiple channels and has been providing various updates on all of them, which indicates that the group could be operating as a group. The ransomware builder that the group sold recently, is gaining traction across threat actors. CloudSEK researchers identified a GitHub repository by L1ghtM4n, who is suspected to be one of the operators of Eternity.

Technical Analysis of Eternal Ransomware

Recently, CloudSEK’s Threat Intelligence Research team discovered a sample of Eternity ransomware that encrypts the files and leaves a ransom note.

Pre-Encryption Operations

The ransomware is written in C#/ .NET, as data initiation proceeds to generate a random password which plays a crucial role in the cryptographic operations. The image below shows the process of password initiation and assignment to a variable “password.”

The function shown below is responsible for password generation.

After the successful completion of password generation, the malware executes the function “Encrypt_pass” to securely store it for decryption.

The Encrypt_pass function is shown below. The password string is encrypted using the RSA cryptographic algorithm. The parameters provided to the algorithm are in the format of aN XML string containing the Modulus and Exponent which are required by the algorithm.

Interestingly, after the encryption of the password string, the malware encodes the encrypted data using the Base64 encoding scheme. The encoded data is then stored as a “sendme.eternityraas” file in the Desktop directory of the target device. This file is very important as it is required for decryption.
After the successful encryption of the user data on the system, the malware instructs the user to send the copy of the “sendme.eternityraas” file to attackers via mail along with the ID.
After paying the ransom demand of USD 800, the attacker sends the password retrieved from the “sendme.eternityraas” file, to the user. The malware then initiates the decryption process.

Encryption Process

The malware initiates the encryption process by executing the function “start.”
Both the local and networked drives are enumerated by the malware. In an iterative manner, files in each drive are processed for encryption by executing the function “Attack”, as shown in the image below.

Each directory is processed as shown in the image below. The malware keeps a very long list of extensions for encryption, and checks to see if the extension of the processed file is in the list or not. If the file passes the check, the malware selects the file for further processing by executing the function “ProcessFile.”

The files with the following extension will be encrypted by the malware.

“pdf”, “pps”, “ppt”, “pptm”, “pptx”, “ps”, “psd”, “vcf”, “xlr”, “xls”, “xlsx”, “xlsm”, “ods”, “odp”, “indd”, “dwg”, “dxf”, “kml”, “kmz”, “gpx”, “cad”, “wmf”, “3fr”, “ari”, “arw”, “bay”, “bmp”, “cr2”, “crw”, “cxi”, “dcr”, “dng”, “eip”, “erf”, “fff”, “gif”, “iiq”, “j6i”, “k25”, “kdc”, “mef”, “mfw”, “mos”, “mrw”, “nef”, “nrw”, “orf”, “pef”, “png”, “raf”, “raw”, “rw2”, “rwl”, “rwz”, “sr2”, “srf”, “srw”, “x3f”, “jpg”, “jpeg”, “tga”, “tiff”, “tif”, “ai”, “3g2”, “3gp”, “asf”, “avi”, “flv”, “m4v”, “mkv”, “mov”, “mp4”, “mpg”, “rm”, “swf”, “vob”, “wmv”, “txt”, “php'”, “html”, “tar”, “gz”, “sql”, “js”, “css”, “txt”, “pdf”, “tgz”, “war”, “jar”, “java”, “class”, “ruby”, “py”, “cs”, “zip”, “db”, “doc”, “xls”, “properties”, “xml”, “jpg”, “jpeg”, “gif”, “mov”, “avi”, “wmv”, “mp3”, “mp4”, “wma”, “acc”, “wav”, “pem”, “pub”, “docx”, “apk”, “exe”, “dll”, “tpl”, “psd”, “asp”, “phtml”, “aspx”, “csv”, “sql”, “mp4”, “7z”, “rar”, “m4a”, “wma”, “avi”, “wmv”, “csv”, “d3dbsp”, “zip”, “sie”, “sum”, “ibank”, “t13”, “t12”, “qdf”, “gdb”, “tax”, “pkpass”, “bc6”, “bc7”, “bkp”, “qic”, “bkf”, “sidn”, “sidd”, “mddata”, “itl”, “itdb”, “icxs”, “hvpl”, “hplg”, “hkdb”, “mdbackup”, “syncdb”, “gho”, “cas”, “svg”, “map”, “wmo”, “itm”, “sb”, “fos”, “mov”, “vdf”, “ztmp”, “sis”, “sid”, “ncf”, “menu”, “layout”, “dmp”, “blob”, “esm”, “vcf”, “vtf”, “dazip”, “fpk”, “mlx”, “kf”, “iwd”, “vpk”, “tor”, “psk”, “rim”, “w3x”, “fsh”, “ntl”, “arch00”, “lvl”, “snx”, “cfr”, “ff”, “vpp_pc”, “lrf”, “m2”, “mcmeta”, “vfs0”, “mpqge”, “kdb”, “db0”, “dba”, “rofl”, “hkx”, “bar”, “upk”, “das”, “iwi”, “litemod”, “asset”, “forge”, “ltx”, “bsa”, “apk”, “re4”, “sav”, “lbf”, “slm”, “bik”, “epk”, “rgss3a”, “pak”, “big”, “wallet”, “wotreplay”, “xxx”, “desc”, “py”, “m3u”, “flv”, “js”, “css”, “rb”, “png”, “jpeg”, “txt”, “p7c”, “p7b”, “p12”, “pfx”, “pem”, “crt”, “cer”, “der”, “x3f”, “srw”, “pef”, “ptx”, “r3d”, “rw2”, “rwl”, “raw”, “raf”, “orf”, “nrw”, “mrwref”, “mef”, “erf”, “kdc”, “dcr”, “cr2”, “crw”, “bay”, “sr2”, “srf”, “arw”, “3fr”, “dng”, “jpe”, “jpg”, “cdr”, “indd”, “ai”, “eps”, “pdf”, “pdd”, “psd”, “dbf”, “mdf”, “wb2”, “rtf”, “wpd”, “dxg”, “xf”, “dwg”, “pst”, “accdb”, “mdb”, “pptm”, “pptx”, “ppt”, “xlk”, “xlsb”, “xlsm”, “xlsx”, “xls”, “wps”, “docm”, “docx”, “doc”, “odb”, “odc”, “odm”, “odp”, “ods”, “odt”, “odt”, “ods”, “odp”, “odm”, “odc”, “odb”, “doc”, “docx”, “docm”, “wps”, “xls”, “xlsx”, “xlsm”, “xlsb”, “xlk”, “ppt”, “pptx”, “pptm”, “mdb”, “accdb”, “pst”, “dwg”, “dxf”, “dxg”, “wpd”, “rtf”, “wb2”, “mdf”, “dbf”, “psd”, “pdd”, “pdf”, “eps”, “ai”, “indd”, “cdr”, “dng”, “3fr”, “arw”, “srf”, “sr2”, “mp3”, “bay”, “crw”, “cr2”, “dcr”, “kdc”, “erf”, “mef”, “mrw”, “nef”, “nrw”, “orf”, “raf”, “raw”, “rwl”, “rw2”, “r3d”, “ptx”, “pef”, “srw”, “x3f”, “der”, “cer”, “crt”, “pem”, “pfx”, “p12”, “p7b”, “p7c”, “jpg”, “png”, “jfif”, “jpeg”, “gif”, “bmp”, “exif”, “txt”, “3fr”, “accdb”, “ai”, “arw”, “bay”, “cdr”, “cer”, “cr2”, “crt”, “crw”, “dbf”, “dcr”, “der”, “dng”, “doc”, “docm”, “docx”, “dwg”, “dxf”, “dxg”, “eps”, “erf”, “indd”, “jpe”, “jpg”, “kdc”, “mdb”, “mdf”, “mef”, “mrw”, “nef”, “nrw”, “odb”, “odm”, “odp”, “ods”, “odt”, “orf”, “p12”, “p7b”, “p7c”, “pdd”, “pef”, “pem”, “pfx”, “ppt”, “pptm”, “pptx”, “psd”, “pst”, “ptx”, “r3d”, “raf”, “raw”, “rtf”, “rw2”, “rwl”, “srf”, “srw”, “wb2”, “wpd”, “wps”, “xlk”, “xls”, “xlsb”, “xlsm”, “xlsx”, “wb2”, “psd”, “p7c”, “p7b”, “p12”, “pfx”, “pem”, “crt”, “cer”, “der”, “pl”, “py”, “lua”, “css”, “js”, “asp”, “php”, “incpas”, “asm”, “hpp”, “h”, “cpp”, “c”, “7z”, “zip”, “rar”, “drf”, “blend”, “apj”, “3ds”, “dwg”, “sda”, “ps”, “pat”, “fxg”, “fhd”, “fh”, “dxb”, “drw”, “design”, “ddrw”, “ddoc”, “dcs”, “csl”, “csh”, “cpi”, “cgm”, “cdx”, “cdrw”, “cdr6”, “cdr5”, “cdr4”, “cdr3”, “cdr”, “awg”, “ait”, “ai”, “agd1”, “ycbcra”, “x3f”, “stx”, “st8”, “st7”, “st6”, “st5”, “st4”, “srw”, “srf”, “sr2”, “sd1”, “sd0”, “rwz”, “rwl”, “rw2”, “raw”, “raf”, “ra2”, “ptx”, “pef”, “pcd”, “orf”, “nwb”, “nrw”, “nop”, “nef”, “ndd”, “mrw”, “mos”, “mfw”, “mef”, “mdc”, “kdc”, “kc2”, “iiq”, “gry”, “grey”, “gray”, “fpx”, “fff”, “exf”, “erf”, “dng”, “dcr”, “dc2”, “crw”, “craw”, “cr2”, “cmt”, “cib”, “ce2”, “ce1”, “arw”, “3pr”, “3fr”, “mpg”, “jpeg”, “jpg”, “mdb”, “sqlitedb”, “sqlite3”, “sqlite”, “sql”, “sdf”, “sav”, “sas7bdat”, “s3db”, “rdb”, “psafe3”, “nyf”, “nx2”, “nx1”, “nsh”, “nsg”, “nsf”, “nsd”, “ns4”, “ns3”, “ns2”, “myd”, “kpdx”, “kdbx”, “idx”, “ibz”, “ibd”, “fdb”, “erbsql”, “db3”, “dbf”, “db-journal”, “db”, “cls”, “bdb”, “al”, “adb”, “backupdb”, “bik”, “backup”, “bak”, “bkp”, “moneywell”, “mmw”, “ibank”, “hbk”, “ffd”, “dgc”, “ddd”, “dac”, “cfp”, “cdf”, “bpw”, “bgt”, “acr”, “ac2”, “ab4”, “djvu”, “pdf”, “sxm”, “odf”, “std”, “sxd”, “otg”, “sti”, “sxi”, “otp”, “odg”, “odp”, “stc”, “sxc”, “ots”, “ods”, “sxg”, “stw”, “sxw”, “odm”, “oth”, “ott”, “odt”, “odb”, “csv”, “rtf”, “accdr”, “accdt”, “accde”, “accdb”, “sldm”, “sldx”, “ppsm”, “ppsx”, “ppam”, “potm”, “potx”, “pptm”, “pptx”, “pps”, “pot”, “ppt”, “xlw”, “xll”, “xlam”, “xla”, “xlsb”, “xltm”, “xltx”, “xlsm”, “xlsx”, “xlm”, “xlt”, “xls”, “xml”, “dotm”, “dotx”, “docm”, “docx”, “dot”, “doc”, “txt”, “odt”, “ods”, “odp”, “odm”, “odc”, “odb”, “doc”, “docx”, “docm”, “wps”, “xls”, “xlsx”, “xlsm”, “xlsb”, “xlk”, “ppt”, “pptx”, “pptm”, “mdb”, “accdb”, “pst”, “dwg”, “dxf”, “dxg”, “wpd”, “rtf”, “wb2”, “mdf”, “dbf”, “psd”, “pdd”, “pdf”, “eps”, “ai”, “indd”, “cdr”, “jpg”, “jpe”, “jpg”, “dng”, “3fr”, “arw”, “srf”, “sr2”, “bay”, “crw”, “cr2”, “dcr”, “kdc”, “erf”, “mef”, “mrw”, “nef”, “nrw”, “orf”, “raf”, “raw”, “rwl”, “rw2”, “r3d”, “ptx”, “pef”, “srw”, “x3f”, “der”, “cer”, “crt”, “pem”, “pfx”, “p12”, “p7b”, “p7c

The “ProcessFile” function as shown in the image below, initially checks whether the selected file is marked or not.

This verification is done by checking the first 3 bytes of the file for the marker “Eth.” If the file is not marked, then the function “ProcessFile” calls another function “EncryptFile” to lock the file.

When it comes to Directory enumeration, the malware skips files in the following directories:
- “All Users\Microsoft\”
- “$Recycle.Bin”
- “C:\Windows”
- “C:\Program Files”
- “Temporary Internet Files”
- “AppData\”
- “\source\”
- “C:\ProgramData”
- “\Eternity\”
The following image shows the file encryption function used by the malware. The malware uses the AES cryptographic scheme to lock user data. Prior to writing encrypted data, the malware writes the marker bytes first in the file as shown in the image below. The bytes corresponding to “Eth” are added to the encrypted data as the initial 3 bytes.

Post-Encryption Operations

After encryption, the malware proceeds to execute three functions: “DestroyCopy,” ”SetStartup,” and ”CreateUI.”

DestroyCopy

This function, as the name suggests, destroys the backup copy of the data via WMI. As shown in the following image, the malware accesses WMI “Win32_ShadowCopy” class, and executes the method Delete(). Upon the execution of “Delete,” the backup data is deleted, and the user is prevented from performing a data backup to restore the locked files.

SetStartup

This function writes “Eternity” as a new value in “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,” which points to the ransomware binary as shown in the image below. This will execute the ransomware each time the user logs into the system.

The image below is the registry snapshot of the Run Key after the execution of the malware sample “sam.exe.”

CreateUI

This function plays a crucial role in the ransomware operation. It initiates and launches a Windows Form as shown in the image below. A Windows Form is the UI element of desktop applications. The malware has a class named PayM3, which represents the Form. The CreateUI function instantiates the required data and executes the Form.

Once the Form is executed, a pop-up is generated as shown in the image below. The decryption logic is linked to this Form. The Form will start the decryption routine when the user submits the right password generated by the ransomware, as mentioned earlier. Since this Form is critical to the decryption of the data, the much sophisticated ransomware hooks the keyboard so that the user doesn’t close the windows, even by accident.

Hooks to Intercept Keyboard Functionality

The aforementioned Form implants a keyboard hook to intercept events on the user’s keyboard in the function PayM3_Load, as shown in the image below. The callback functions “LowLevelKeyboardProc” and “SetWindowsHookEx” are used to hook the user keyboard. And whenever the user presses a key, the system executes the function “captureKey” provided by the malware. Although a keyboard hook is a trivial mechanism in spyware and bots, in this instance, such hooks are used to achieve a different result.

The hook shown in the following image makes certain that the user does not terminate the Form is not explicitly or accidently. The hook is only interested in intercepting Modifier keys such as Shift/ Alt/ CTRL/ Windows keys. Usually, users leverage it to forcefully terminate a program or carry out other tasks like opening the Task Manager on Windows.

The operators of Eternity ransomware use this as a fail-safe feature for the malware by the adversary. The hook simply checks whether the pressed keys are modifier keys. If they are, then it simply executes a return, ensuring that the pressed keys are not registered by the system.

Upon submission of a valid password to the Form, it executes a function called “UndoAttack” that decrypts the locked data.

Recent Incident

Recently, CloudSEK’s Threat Research Team discovered a sample of Eternity ransomware that encrypts the files and leaves the ransom note.

Ransom note by the Eternity ransomware [Source: Triage]

To get the decryption key, the victim needs to contact the following communication channels:

Contact addresses found

TG: RecoverdataU

Mail:[email protected]

Based on CloudSEK’s investigation, this ransomware is bundled with Eternity Malware.

Links Between L1ghtM4n, Jester, and Eternity

Based on our technical analysis, the modules developed and posted on the Github repository of L1ghtM4n had been fetched by the Jester malware.
L1ghtM4n’s details are same as the communication channel provided by the Eternity Team and the technical skills of this threat actor are highly related to malware development.
All the tutorials and data posted by malware teams associated with L1ghtM4n have been shared in Russian language as well, indicating the origin of the threat actor.
CloudSEK Researchers believe that there is a slight possibility the recruitment programme for different language speaking trainees during the Virology training was one of the instances from which Eternity could have been formed.
The advertisements of Eternity, Jester, Lilith, and Merlyn follow a similar an artistic doodle approach which is another observation that helps suggest, mild confidence, a possible connection between them them.

Impact & Mitigation

Impact

Mitigation

The credentials stolen through stealer malware could enable other threat actors to gain access to the organization’s networks.
Exposed Personally Identifiable Information (PII) could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft.
Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to the users’ other accounts.
The exposed confidential details through ransomware activities could reveal business practices and intellectual property.

Use proactive threat intelligence to prevent impending attacks. CloudSEK’s XVigil scours the internet, alerts users of potential threats and helps strengthening their external security posture.
Reset the compromised user login credentials and implement a strong password policy for all user accounts.
Check for possible workarounds and patches while keeping the ports open.
Use MFA (multi-factor authentication) across logins.
Patch all vulnerable and exploitable endpoints.
Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers.