Malware research
ESET dedicates part of its operations to malware research, as well as to the monitoring of advanced persistent threat groups and other cybercriminal groups, with 40% of the company's employees working in research.[39]
One of the groups that ESET tracked is Sandworm. After the 2015 attack on the Ukrainian power grid and the global NotPetya ransomware attack in 2017 – both attributed to Sandworm – ESET discovered Sandworm (more specifically, a subgroup that ESET tracks as TeleBots) deploying a new backdoor called Exaramel, which is a version of the main Industroyer backdoor. As Industroyer was used in the 2016 blackout in Ukraine,[40] ESET linked Industroyer to NotPetya, as well as to BlackEnergy, which was used in the 2015 blackout.[41]
At the time of the NotPetya outbreak, ESET and Cisco tracked down the point from which the global ransomware attack had started to companies afflicted with a TeleBots backdoor, resulting from the compromise of M.E.Doc, a popular financial software in Ukraine.[42]
In addition, ESET found that multiple threat actors had access to the details of the vulnerabilities even before the release of the patches. Except for DLTMiner, which is linked to a known cryptomining campaign, all of these threat actors are APT groups interested in espionage: Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad activity, The "Opera" Cobalt Strike, IIS backdoors, Mikroceen, DLTMiner,[43] and FamousSparrow.[44]
In the area of IoT research, ESET discovered the KrØØk vulnerability (CVE-2019-15126) in Broadcom and Cypress Wi-Fi chips, which allows WPA2-encrypted traffic to be encrypted with an all zero session key following a Wi-Fi disassociation.[45] Then ESET discovered another KrØØk related vulnerability (CVE-2020-3702) in chips by Qualcomm and MediaTek, as well as in the Microsoft Azure Sphere development kit, with the main difference being that the traffic is not encrypted at all.[46]
Other notable research includes the discovery of LoJax, the first UEFI rootkit found in the wild, which was used in a campaign by the Sednit (aka Fancy Bear) APT group. LoJax is written to a system's SPI flash memory from where it is able to survive an OS reinstall and a hard disk replacement. LoJax can drop and execute malware on disk during the boot process.[47] In 2021, ESET discovered another UEFI malware called ESPecter,[48] which is the second real-world bootkit after FinSpy[49] known to persist on the EFI System Partition in the form of a patched Windows Boot Manager.
In 2021, ESET released the white paper Anatomy of native IIS malware,[50] which analyzed over 80 unique samples of malicious native extensions for Internet Information Services (IIS) web server software used in the wild and categorized these into 14 malware families — 10 of which were previously undocumented.
Among these families, IIS malware demonstrated five main modes of operation:
ESET also works alongside experts from competitors and police organizations all over the world to investigate attacks. In 2018, ESET partnered with the European Cybercrime Centre — a specialist Europol team that investigates cybercrime — as a member of its Advisory Group on Internet Security.[51][52] ESET partnered with law enforcement agencies worldwide and Microsoft to target the Dorkbot botnet in 2015[53] and the Gamarue (aka Andromeda) botnet in 2017.[54] Then in 2020, ESET partnered with Microsoft, Lumen's Black Lotus Labs, and NTT Ltd. in an attempt to disrupt Trickbot, another botnet.[55]
- IIS backdoors, which can remotely control compromised computers;
- IIS infostealers, which steal information such as login credentials and payment information;
- IIS injectors, which modify HTTP responses sent to legitimate visitors to serve malicious content;
- IIS proxies, which use the compromised server as unwitting parts of the command and control infrastructure for another malware family; and
- SEO fraud IIS malware, which modifies the content served to search engines.