A phishing campaign was launched on October 8th 2024 that had @eset.co.il domain that sent wipers through a phishing mail
The phishing mails came from @eset.co.il domain which made it look real and passed all authentication checks , which could identicate that the emails were sent originally from the ESET's partners compromised servers
Phishing message:
Files inside the ZIP archieve :
eguiActivation.dll
eguiaActivationLang.dll
eguiAmon.dll
eguiAmonLang.dll
Setup.exe
Setup.exe VT link : https://www.virustotal.com/gui/file/2abff990d33d99a0732ddbb3a39831c2c292f36955381d45cd8d40a816d9b47a/details
ZIP Archive Link : https://www.virustotal.com/gui/file/2d55c68aa7781db7f2324427508947f057a6baca78073fee9a5ad254147c8232/details
Upon execution, the malware reached out to www.oref.org.il, a legitimate Israeli news site. This could be a tactic to blend in with normal traffic or verify internet connectivity.
When starting the Wiper , a connection will be made to National Emergency Portal (Pekod Ha Oref) www.oref.org.il, it could be just a way to blend with normal traffic or to verify that the wiper has internet connection to the host.
YARA rule has been shared by Kevin Beaumont:
rule ESETIsraelWiper { strings: $a = "Hey ESET, wait for the leak.. Doing business with the occupiers puts you in scope!" condition: $a }
Analysis by cybersecurity experts revealed embedded messages within the malware:
"Hey ESET, wait for the leak... Doing business with the occupiers puts you in scope!"
Also reports indicate that embedded videos from War is included when attempting to reverse engineer.
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now