Eternity Project is the name of a malware toolkit which is currently in active development and is being sold as malware-as-a-service. Researchers are still unaware of the threat actor selling the malware that enables amateur hackers to get hold of an information stealer, clipper, computer worm, cryptocurrency miner, ransomware, and a DDoS bot.
Eternity Project Malware-as-a-Service
The Eternity Project campaign was discovered by Cyble researchers during their “routine threat hunting exercise.” The researchers came across a Tor website that listed “a variety of malware for sale,” all branded with the name “Eternity Project.”
What is mostly notable is that the threat actors behind the malware project also own a Telegram channel with approximately 500 subscribers. The channel provides further information and detailed videos, as well as details about the malware’s updates. This shows that the team is still developing their malware-as-a-service project.
“Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary. The TAs [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies,” Cyble says in their report.
It is noteworthy that each malicious module can be sold separately.
Eternity Information Stealer
Its annual subscription is $260. The stealer can passwords that belong to:
Browsers collection (Passwords, CreditCards, Cookies, AutoFill, Tokens, History, Bookmarks) Chrome, Firefox, Edge, Opera, Chromium, Vivaldi, IE, and +20 more.
Email clients: Thunderbird, Outlook, FoxMail, PostBox, MailBird.
Messengers: Telegram, Discord, WhatsApp, Signal, Pidgin, RamBox.
Cold cryptocurrency wallets: Atomic, Binance, Coinomi, Electrum, Exodus, Guarda, Jaxx, Wasabi, Zcash, BitcoinCore, DashCore, DogeCore, LiteCore, MoneroCore.
Browser cryptocurrency extensions: MetaMask, BinanceChain, Coinbase Wallet, and 30+ more.
Password managers: KeePass, NordPass, LastPass, BitWarden, 1Password, RoboForm and 10+ more.
VPN clients: WindscribeVPN, NordVPN, EarthVPN, ProtonVPN, OpenVPN, AzireVPN.
FTP clients: FileZilla, CoreFTP, WinSCP, Snowflake, CyberDuck.
Gaming software: Steam session, Twitch, OBS broadcasting keys.
System credentials: Credman passwords, Vault passwords, Networks passwords).
The Eternity miner, which is said to be very small in size, is sold for $90. It offers “silent Monero mining,” and is hidden from the task manager.
This module is sold for $110. It offers monitoring the clipboard of an infected computer for cryptocurrency wallets, with the purpose of replacing them with the hackers’ crypto wallet addresses.
The ransomware is the most expensive module, with a price set at $490. The ransomware is capable of the following, according to the cybercriminals’ description:
Encrypts all documents, photos, and databases on disks, local shares, and USB drives.
Offline encryption (Doesn’t requires network connection)
Uses a very strong algorithm of encryption utilizing both AES and RSA.
The ability to set a time limit after which the files cannot be decrypted.
Execution on a specific date
Currently, FUD (0/26)
Small size ~130kb
The worm’s price is $390, and it can propagate through USB drives, local network shares, local files, and spam messages shared on Discord and Telegram.
The last feature, the DDoS bot, is still in development, and no information has been provided so far.