Eternity Project MaaS: Watch Time Run Out on Eternity Malware (Video)

CYBERSECURITY / 10.31.22 / Hector Diaz, David Steinberg-Zwirek

When you pick up a new toy with all the bells and whistles, whether it’s a car, computer, or something special for your home, it’s fun to customize it just the way you want and make it your own. Threat actors implementing the Eternity Project malware toolkit may experience a similar feeling as they choose from multiple options they can use to compromise your organization’s network security.

Targeting the Windows® operating system, BlackBerry threat researchers designate the Eternity Project, “Eternity” for short, as a high-impact, medium-risk threat.

Eternity Malware Distribution and Components

It appears that Eternity is primarily distributed to its victims via YouTube videos, Discord links and email attachments. The toolkit, sold as malware-as-a-service (MaaS), is peddled by an entity collectively given the moniker, “Eternity Group.” This group appears to have ties to the Russian “Jester Group,” which has been active since July 2021. Researchers also noticed that the developer appears to use the source-code of Povlsomware as the base for the final product.

The Eternity Project toolkit is modular and can mix and match between five components. These modules include a crypto minor, crypto clipper, worm malware, info stealer, and ransomware. However, of greater concern to organizations is that the developer of the toolkit offers a mass customization service wherein each module can be modified to meet the needs of threat actors.

BlackBerry Prevents Eternity Malware Suite

Watch our demo video below to learn more about Eternity Project attacks, and see how BlackBerry defeats them using our zero trust network access (ZTNA) solution CylanceGATEWAY™, and our cloud-enabled endpoint detection and response (EDR) solution CylanceOPTICS® in conjunction with CylancePROTECT®, our artificial intelligence (AI) powered endpoint protection platform (EPP).

DEMO VIDEO: BlackBerry vs. Eternity Project

Learn more about Eternity Project in our deep-dive blog, Threat Spotlight: Eternity Project MaaS Goes On and On

Figure 1 – CylanceGATEWAY stops the command-and-control (C2) communications from Eternity modules and prevents deployment of additional instructions.

Figure 2 – CylancePROTECT defeats the malware suite, preventing Eternity Project from accessing the target system, stopping each attack before it occurs.

Cylance AI

To learn more about Cylance® AI capabilities visit: Cylance AI from BlackBerry.

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form. 

Video Transcript

In this video, we are going to look at how an attacker can compromise the system using the Eternity Malware-as-a-service kit. This is a multi-modular malware service that can provide many capabilities including information stealing functionality, crypto miner and clipper, a worm for malware propagation through popular instant messaging apps, and of course a ransomware module.

We have set up this machine with CylanceOPTICS in audit-only mode to allow malware execution.

We will start this demonstration by executing each one of the modules that come with this Eternity suite and are present in this folder ending with the ransomware piece. We will start with the clipper, then Eternity Infostealer, the worm, and finally with the ransomware.

When we first open these files, we don't see anything unexpected or evidently malicious. But behind the scenes, each module is executing several tasks, from information gathering and collection, to C2 communication for exfiltration and reporting, and it ends its malicious activities with the typical ransom note after a couple of minutes.

Let's go to our venue console to see what's happening. Through our root cause analysis capability, we can see all the steps taken by these modules. Let's take the clipper one as an example. We can see all the different steps taken by this module. How it starts the process from the app data folder, creates a scheduled task for additional persistence, as well as multiple values within the registry, and then establishes command and control connectivity.

If you look at the ransomware piece, we can see how it re-writes all the files present on the system from our PST (email archive) to all the remaining files present on the system.

CylanceGATEWAY can prevent C2 communications from each one of these modules if we execute these files again from our audit-only test system. But this time with traffic protection provided by our zero trust network access module, we can see how the malware never reaches its command-and-control. It stops the attacker from deploying any additional modules or instructions. If we go back to our venue console, we can see all the different attempts being blocked by CylanceGATEWAY.

In a real-world scenario, we would prefer to stop these attempts before any harm can be done. We can take a preventive approach with CylancePROTECT.

Here we have a machine with CylancePROTECT, with the protection policy enabled. Let's execute the same set of modules from Eternity, but this time we will have our preventative policy in place with no internet connectivity. We can see here that CylancePROTECT is able to prevent this malware suite in pre-execution, safeguarding both our system and our data.

Prevention is Possible, with BlackBerry.

Related Reading

About David Steinberg-Zwirek

David Steinberg-Zwirek is an Editorial Intern at BlackBerry.

About Hector Diaz

Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.

Back