The researchers first discovered a TOR website providing details about a toolkit containing different types of malware. The toolkit is known as Eternity Project and is associated with a Telegram channel, where the project’s developers sell annual subscriptions to six different kinds of malware. The toolkit includes the following malware:
- Eternity Stealer: steals passwords, cookies, credit cards, and crypto-wallets
- Eternity Miner: quietly mines cryptocurrency while staying hidden
- Eternity Clipper: replaces cryptocurrency wallet addresses in clipboard with threat actors’ wallet addresses in order to redirect funds
- Eternity Ransomware: encrypts all files until a ransom is paid or a timer runs out
- Eternity Worm: a virus that spreads by way of USB drives, files, networks, and Discord and Telegram messages
- Eternity DDoS Bot: still under development, but will presumably infect systems to form a botnet suitable for carrying out distributed denial of service (DDoS) attacks.
Individuals who purchase access to one or more of the malware in the Eternity Project toolkit will gain access to a Telegram bot that helps buyers create a malware build that will suit their preferences. Buyers can select the type of malware, then select from a number of options and input any required files or information. The screenshot above shows the build process for Eternity Stealer. The Telegram bot asks the user to upload an executable file so the malware can mimic a legitimate program. Once the user inputs all the requested information, the Telegram bot generates a custom tailored build of the selected malware.
Somewhat humorously, the developers of Eternity Project claim that their main servers are located in Ukraine and have posted threats, warning buyers not to distribute the malware in Ukraine. Developers helping to unleash a full suite of malware on the world are most likely fooling themselves if they think they can keep said malware out of a country actively engaged in cyberwarfare.