Eternity, besides known arsenic the “EternityTeam” oregon “Eternity Project,” has been progressive since January 2022 and tied to the Jester Group. It gained infamy for utilizing the as-a-service subscription exemplary to administer its ain marque of malware modules via underground forums. These modules typically see a stealer, a miner, a botnet, a ransomware, a worm-and-dropper combination, and a distributed denial-of-service (DDoS) bot.
ThreatLabz precocious disclosed indicators of compromise (IoCs) for 1 of Eternity’s offerings, LilithBot, comprising 4 IP addresses corresponding to the group’s command-and-control (C&C) servers—77[.]73[.]133[.]12, 45[.]9[.]148[.]203, 91[.]243[.]59[.]210, and 195[.]2[.]71[.]214.
Eternity typically keeps its activities connected the down low—in the Dark Web. Still, we sought to find if LilithBot and Eternity besides engaged successful dealings connected the Surface Web. We did that by looking for imaginable signs of their beingness successful the DNS and found:
- 127 domains that shared the IoCs’ IP hosts, 13% of which are dubbed “malicious” by assorted malware engines
- 40 further domains containing the strings “eternity + malware,” “eternity + channel,” “eternity + team,” “eternity + project,” and “lilithbot”
A illustration of the further artifacts obtained from our investigation is disposable for download from our website.
Eternity Facts
Throughout Eternity’s operation, it has go a well-known malware-as-a-service (MaaS) supplier communicating with buyers notably via Telegram. Its offerings scope betwixt US$70—90 that customers request to wage for via a cryptocurrency of their choice—Bitcoin, Ethereum, Monero, oregon Dash.
Are Eternity’s Dealings Limited to the Dark Web?
In an effort to find if the menace that Eternity and LilithBot airs is constricted to the Dark Web, we conducted an IoC enlargement probe utilizing assorted WHOIS, IP, DNS, and OSINT sources.
Using the IP addresses identified arsenic IoCs arsenic reverse IP lookup hunt presumption allowed america to uncover 127 domains that shared them arsenic hosts. A bulk malware lookup for these showed that 17 person been dubbed “malware hosts” by assorted malware engines. These malicious domains include:
- coregonid[.]xyz
- decostate[.]xyz
- epicenism[.]xyz
- perilless[.]xyz
- reconceal[.]xyz
- spadebone[.]xyz
Apart from utilizing the aforesaid top-level domain (TLD) extension—.xyz, a bulk WHOIS lookup for the malicious domains showed similarities successful existent registrar (i.e., NameSilo, LLC). Their humanities WHOIS records, meanwhile, besides yielded absorbing breadcrumbs arsenic 15 of them were astir the aforesaid property (i.e., 412—416 days old). Only 2 were respective years old—epicenism[.]xyz (i.e., 2,316 days old) and theftbote[.]xyz (i.e., 1,170 days old).
In an effort to find different perchance connected artifacts, we utilized the strings “eternity + malware,” “eternity + channel,” “eternity + team,” “eternity + project,” and “lilithbot” arsenic Domains & Subdomains Discovery hunt terms. That led to the find of 40 domains. None of them are presently classified arsenic malicious, but could arguably beryllium of involvement to the menace histrion oregon copycats arsenic they diagnostic the publically known strings the menace histrion radical uses. Some were besides live, and one—eternityprojectblog[.]com—is presently undergoing development. We didn’t spot definitive signs of its transportation to the threat.
Our IoC enlargement of LilithBot utilizing WHOIS, IP, and DNS probe techniques helped place malicious cyber resources that we wouldn’t person recovered otherwise. In LilithBot’s case, the information assemblage whitethorn privation to support a person ticker connected .xyz domains, peculiarly those that stock different similarities with the IoCs, and pages sporting known strings associated with the menace actors.
If you privation to execute a akin probe oregon get entree to the afloat information down this research, delight don’t hesitate to contact us.