Service crew

Researchers warn against selling malicious service “Eternity Project” via Telegram

An unidentified threat actor has been linked to an in-development malware toolkit called “Eternity Project” that allows professional and amateur cybercriminals to buy thieves, clippers, worms, miners, ransomware and a Distributed Denial of Service (DDoS) bot.

What sets this malware as a service (MaaS) apart is that in addition to using a Telegram channel to communicate updates on the latest features, it also uses a Telegram bot that allows buyers to create the binary.

cyber security

“The [threat actors] provide an option in the Telegram channel to customize binary features, which provides an efficient way to build binaries without any dependencies,” Cyble researchers said in a report published last week.

Each of the modules can be rented separately and offers paid access to a wide variety of functions –

  • Eternity Thief ($260 for an annual subscription) – An information stealer to siphon passwords, cookies, credit cards, cryptocurrency browser extensions, crypto wallets, VPN clients, and email apps from a victim’s machine and send them to the Telegram Bot
  • eternity miner ($90 annual subscription) – Malware that abuses a compromised machine’s computing resources to mine cryptocurrency
  • Eternity Trimmer ($110) – A crypto-clipping program that steals cryptocurrency during a transaction by replacing the original wallet address stored in the clipboard with the attacker’s wallet address.
  • Eternity ransomware ($490) – A 130KB ransomware executable to encrypt all user files until a ransom is paid
  • worm of eternity ($390) – Malware that spreads via USB drives, LAN shares, local files as well as spam messages on Discord and Telegram, and
  • Eternity DDoS Bot (N/A) – The feature is currently under development

Cyble pointed out that there are indications that malware authors could reuse existing code related to DynamicStealer, which is available on GitHub, and trade it under a new moniker for profit.

It should be noted that Jester Stealer, another malware that was discovered in February 2022 and has since been used in phishing attacks against Ukraine, also uses the same GitHub repository to download TOR proxies, pointing to links possible between the two threat actors.

cyber security

The cybersecurity firm also said that it “has observed a significant increase in cybercrime via Telegram channels and cybercrime forums where [threat actors] sell their products without any regulation.”

Last week, BlackBerry exposed the inner workings of a remote access Trojan called DCRat (aka DarkCrystal RAT) which is available for sale at low prices on Russian hacking forums and uses a Telegram channel to share details regarding software and plugin updates.