A one-stop shop for data and crypto kleptomaniacs

'Eternity malware' offers Swiss Army knife of cybercrime tools

UPDATED Malware that steals passwords, cookies, and payment card data from web browsers is being sold via a Telegram channel and a Tor website, security researchers have discovered.

Collectively named the ‘Eternity Project’ by its architects, the suite of malware already includes stealers, clippers, worms, miners, and ransomware, with a Distributed Denial of Service (DDoS) bot apparently under development.

A Telegram channel provides information about forthcoming software updates and videos documenting the malware’s functionality to hundreds of subscribers.

Catch up on the latest malware news and attacks

“Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary,” according to a blog post by Cyble Research Labs.

“The TAs [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies.”

The malware offers sophisticated features, with enhancements in the pipeline, and has been widely deployed around the world, according to Dhanalakshmi PK, Cyble’s senior director for malware and intelligence research.

We suspect that this malware delivered as cracked or [a] new version of free software,” she told The Daily Swig.

“Also, at the time of analysis the Telegram channel has 500 subscribers. This indicates that there might be [a] [large] impact... by other actors or affiliates.”


A Stealer module, which costs $260 for an annual subscription, also exfiltrates AutoFill data, tokens, history, and bookmarks from Chrome, Chromium, Firefox, Edge, Opera, and more than 20 other browsers.

Other data extracted from infected machine to the threat actor’s Telegram bot are various system credentials, and cryptocurrency via a wide range of crypto-wallets and browser cryptocurrency extensions.

Eternity Stealer also “snips credentials from configuration files of VPN clients along [with] password manager tools listed, but [the] malware does not have any keylogging capabilities”, according to Dhanalakshmi PK.

Eternity ransomware, meanwhile, can encrypt documents, photos, and databases on disks, local shares, and USB drives on compromised machines.

The ransomware facility – the most expensive option at $490 – offers offline encryption, an encryption algorithm combining AES and RSA, and the option to set a time limit after which files cannot be decrypted.

The Eternity worm, priced at $390, propagates through infected machines via local files and local network shares; Google Drive, OneDrive, and DropBox; and Discord, Telegram, and Python Interpreter.

For $110, budding cybercrooks can harness clipper malware that supports multiple address formats for BTC, LTC, ZEC, and BCH, while a $90-a-year cryptocurrency mining module offers silent Monero mining and automatic restarts.

Cybercrime increase

Researchers suspect the developer behind the Eternity Project is repurposing code in the ‘DynamicStealer’ GitHub repository, and have identified possible links with the threat actor behind the Jester Stealer malware Cyble documented in February.

Cyble Research Labs said it had recently “observed a significant increase in cybercrime through Telegram channels and cybercrime forums”.

Individuals and organizations are advised to protect themselves by installing reputable security software, enabling automatic software updates if practicable, regularly backing up data and keeping backups offline or on a separate network, and refraining from opening untrusted links and email attachments without verifying their authenticity.

This article was updated on May 18 with additional comment and details from Cyble.

YOU MIGHT ALSO LIKE Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit