Hackers have breached Comsecure, ESET's exclusive partner in Israel, to conduct a sophisticated phishing campaign targeting Israeli businesses.

The attackers utilized legitimate ESET infrastructure to distribute data wiper malware disguised as antivirus software, aiming for destructive attacks on Israeli organizations.

What Happened?

Compromise of ESET Israel's Partner

On October 8th, a phishing campaign was launched where emails branded with ESET's logo were sent from the legitimate domain eset.co.il.

This indicates that the email servers of ESET's Israeli distributor, Comsecure, were compromised.

Phishing Emails Sent from Legitimate Servers

The phishing emails appeared authentic as they passed SPF, DKIM, and DMARC authentication checks. This means that the emails originated from verified ESET servers, making them highly convincing to recipients and difficult for security systems to detect.

Phishing Campaign Details

Disguised as ESET's Advanced Threat Defense Team

The emails pretended to be from "ESET's Advanced Threat Defense Team," warning recipients about state-backed attackers targeting their devices. The message leveraged fear of sophisticated threats to prompt immediate action.

Introduction of "ESET Unleashed"

To counter the alleged threat, the email offered a download link to "ESET Unleashed," purportedly a more advanced antivirus tool. The download link was hosted on the legitimate eset.co.il domain, adding further credibility.

Malicious Payload

Contents of the Downloaded ZIP File

The ZIP archive contained:

Four legitimate ESET DLL files digitally signed by ESET's code-signing certificate.

An unsigned Setup.exe file, which was the malicious data wiper.

Advanced Evasion Techniques

The data wiper employed several evasion tactics:

Anti-Virtualization: The malware detected virtual environments, making it difficult for researchers to analyze it in virtual machines.

Mutex Usage: It used a Mutex associated with the Yanluowang ransomware group, potentially to confuse attribution efforts.

Connection to Legitimate Israeli Websites

Upon execution, the malware reached out to www.oref.org.il, a legitimate Israeli news site. This could be a tactic to blend in with normal traffic or verify internet connectivity.

Impact on Israeli Organizations

Targeting Cybersecurity Professionals

Initial reports indicate that the phishing emails were sent to cybersecurity personnel within Israeli organizations. Compromising these individuals could allow attackers deeper access into secure systems.

Irreversible Data Destruction

The malware is a data wiper designed to irreversibly delete files and corrupt partition tables, making data recovery extremely difficult, if not impossible.

Lack of Immediate Disclosure

Despite the severity of the breach, there was a notable delay in public disclosure from ESET and Comsecure. This lack of transparency may have hindered affected organizations from taking prompt defensive actions.

Attribution and Political Motivations

Embedded Threats and Dates

Analysis by cybersecurity experts revealed embedded messages within the malware:

"Hey ESET, wait for the leak... Doing business with the occupiers puts you in scope!"

An embedded date was also found, possibly correlating with significant events or other attacks.

Links to Iranian Threat Actors

There are indications that the attack may be linked to Iranian groups such as Handala and CyberToufan, known for:

• Using data wipers in attacks against Israel.

• Embedding political messages in their malware.

• Aiming to sow chaos and disrupt Israel's economy rather than financial gain.

Technical Details

File Hashes of Malicious Files

ZIP Archive: 2d55c68aa7781db7f2324427508947f057a6baca78073fee9a5ad254147c8232

Setup.exe: 2abff990d33d99a0732ddbb3a39831c2c292f36955381d45cd8d40a816d9b47a

YARA Rule for Detection

A YARA rule has been shared by Kevin Beaumont to aid in detecting the malware:

rule ESETIsraelWiper { strings: $a = "Hey ESET, wait for the leak.. Doing business with the occupiers puts you in scope!" condition: $a }

ESET's Response

ESET has added an antivirus signature Win32/Agent.AGFH to detect related malicious activity.

Recommendations for Organizations

Immediate Actions

• Update Antivirus Definitions: Ensure that all antivirus software is updated to detect the latest threats.

• Educate Staff: Inform employees about the phishing campaign, emphasizing caution with unexpected emails, even from legitimate sources.

• Monitor Network Traffic: Watch for unusual outbound connections, especially to known legitimate websites from unexpected applications.

Long-Term Strategies

• Strengthen Email Security: Implement advanced email security solutions that can detect anomalies beyond standard SPF, DKIM, and DMARC checks.

• Regular Security Audits: Conduct frequent audits of partner and supplier security measures to prevent supply chain attacks.

• Incident Response Planning: Develop and regularly update incident response plans to handle breaches promptly and effectively.

Conclusion

The breach of ESET's Israeli partner, Comsecure, underscores the evolving tactics of threat actors exploiting trusted infrastructure and employing sophisticated evasion techniques; attackers can deliver destructive payloads with devastating effects.

Organizations must remain vigilant, prioritize transparency, and foster collaboration within the cybersecurity community to combat such threats.

---

FAQs

What is a data wiper?

• A data wiper is malware designed to irreversibly delete files on a computer and often corrupts the partition table, making data recovery extremely difficult.

How did the phishing emails bypass security systems?

• The emails were sent from legitimate ESET servers and passed SPF, DKIM, and DMARC authentication checks, making them appear authentic to both recipients and email security systems.

Who is believed to be behind the attack?

• While not definitively attributed, evidence suggests possible involvement of Iranian-linked threat actors like Handala and CyberToufan, known for politically motivated attacks against Israel.

What should I do if I receive such an email?

• Do not download or execute any files from the email. Contact your IT security team immediately and report the incident.

Has ESET released an official statement?

• Yes, ESET has acknowledged the incident and released antivirus signatures to detect the malware. However, there was a delay in public disclosure, which has raised concerns.