EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs
One of my Mastodon followers sent me an interesting toot today:
This lead me to this forum post:
"Government-Backed Attackers May Be Trying to Compromise Your Device!" email
With this email:
The forum post had been handwaved with a message to contact ESET Israel.
I managed to obtain the email, which passes both DKIM and SPF checks for coming from ESET’s store:
dkim=pass header.i=@eset.co.il header.s=selector2 header.b=QdjLgrQ+
arc=pass (i=1 spf=pass spfdomain=eset.co.il dkim=pass dkdomain=eset.co.il dmarc=pass fromdomain=eset.co.il)
spf=pass (google.com: domain of store@eset.co.il designates 2a01:111:f403:2613::70d as permitted sender) smtp.mailfrom=store@eset.co.il
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=eset.co.il
Additionally, the link is indeed to backend.store.eset.co.il — owned by ESET Israel.
By the time I had seen this, the download was offline. It is unclear why the download is offline and ESET hadn’t told people about what happened.
I was able to obtain the download from when the emails were first sent: Tue, 8 Oct 2024 03:54:00 -0700 (PDT)
The email is styled as ESET Advanced Threat Defense Team — a legit org within ESET — and the downloads styled as ESET Unleashed — a branding ESET use.
The download is a ZIP file, containing various ESET DLLs — and a file called setup.exe
setup.exe is malicious. It uses a host of obvious techniques to try to evade detection. I could only get it to detonate properly on a physical PC. It calls variously obviously malicious things, e.g. it uses a Mutex from the Yanluowang extortion/ransomware group.
It calls out — for whatever reason — to www.oref.org.il — a legit org in Israel:
This article has been indexed from DoublePulsar – Medium