• ESET has been named a Representative Vendor in the Gartner® Market Guide for Managed Detection and Response report.
• The 24/7 MDR service offers direct access to ESET’s cybersecurity experts and technology, helping customers to rapidly detect, analyze, investigate, and respond to cyberthreats proactively.

BRATISLAVA – August 2, 2024 — ESET, a global leader in cybersecurity solutions, is proud to announce its recognition as a Representative Vendor in the latest Gartner® Market Guide for Managed Detection and Response report. We believe that this acknowledgment underscores ESET’s commitment to delivering cybersecurity services in the managed detection and response (MDR) landscape.

MDR services are crucial in today’s cybersecurity landscape. According to the Gartner report, “MDR services provide customers with remotely delivered, human-led, turnkey, modern SOC functions, ultimately delivering threat disruption and containment. Security and risk management leaders should use this research to identify MDR services that meet their business-driven risk requirements.”

ESET’s MDR services offer cybersecurity protection, providing access to experts without needing internal staff, enhancing and simplifying security workflows by adding functionalities such as the ESET AI Advisor, which contextualizes detections and helps both novice and mature admins more easily protect their environments. Furthermore, the company’s core AI-powered MDR identifies threats early, ensuring high detection rates and minimal false positives. Operating 24/7/365, the services guarantee continuous monitoring and swift incident response even in hybrid work settings, leading to a competitive response time of as little as 20 minutes. With its offering, ESET helps organizations achieve essential cyber controls for insurability and regulatory compliance, reducing legal risks and penalties.

“With our MDR portfolio, we offer something that answers the needs of businesses of all sizes. The stakes have never been higher, which is recognized by regulators and cyber insurance providers as well. If a business is genuinely committed to strengthening its security posture, tackling threats while staying compliant, ESET MDR is what can give it that competitive edge. We are proud to be recognized as a Representative Vendor in the 2024 Gartner Market Guide,” said Pavol Balaj, Chief Business Officer at ESET.

MDR services should help businesses reduce their time to respond to threats, as well as help detail their current exposure to such threats. The right MDR service is speedier than in-house SOC efforts, and it’s much more comprehensive and flexible than generalist business IT administration; hence, to answer both these challenges collectively, ESET offers its MDR services in two subscription tiers to cater to different business needs. For small and medium-size businesses, ESET PROTECT MDR offers robust security features and expert support, ensuring top-tier protection without unnecessary complexities. For enterprises, ESET PROTECT MDR Ultimate provides enhanced security capabilities, proactive threat detection, and comprehensive response services, ensuring optimal protection and regulatory compliance.

According to the report, you can “use MDR services to obtain 24/7, remotely delivered, human-driven security operations capabilities when there are no existing internal capabilities. MDR services also should be used when the organization needs to accelerate or augment existing security operations capabilities.”

Find more information about ESET’s MDR services here.

Gartner, Market Guide for Managed Detection and Response, By Pete Shoard, Andrew Davies, Mitchell Schneider, Angel Berrios, Craig Lawson, 24 June 2024.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

• ESET detected nine notable ModiLoader phishing campaigns during May 2024 in Poland, Romania, and Italy.
• These campaigns targeted small and medium-sized businesses.
•  Seven of the campaigns targeted Poland, where ESET products protected over 21,000 users from these attacks.
• Attackers deployed three infostealer malware families via ModiLoader: Rescoms, Agent Tesla, and Formbook.
• Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data. 

BRATISLAVA — July 30, 2024 — ESET researchers investigated nine widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland, Romania, and Italy during May 2024, distributing various malware families. In comparison with the previous year, the attackers targeting the region shifted away from AceCryptor to ModiLoader as their delivery tool of choice and added more malware as well. Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data. In May 2024 alone, ESET products protected over 26,000 users – over 21,000 (80%) of whom were in Poland – against this threat.

“In total we registered nine phishing campaigns, seven of which targeted Poland throughout May,” says Jakub Kaloč, who analyzed the phishing campaigns. “The final payload to be delivered and launched on the compromised machines varied; we’ve detected campaigns delivering the information stealing Formbook; the remote access trojan and information stealer Agent Tesla; and Rescoms RAT, which is remote control and surveillance software that is able to steal sensitive information,” he adds.

In general, all the campaigns followed a similar scenario. The targeted company received an email message with a business offer. As in the phishing campaigns of H2 2023, attackers impersonated existing companies and their employees as the technique of choice to increase their campaign success rate. In this way, even if the potential victim looked for the usual red flags (aside from potential translation mistakes), they just weren’t there, and the email looked as legitimate as it could have.

Emails from all campaigns contained a malicious attachment that the potential victim was incentivized to open, based on the text of the email. The file itself was either an ISO file or archive with the ModiLoader executable. ModiLoader is a Delphi downloader with a simple task – to download and launch malware. In two of the campaigns, ModiLoader samples were configured to download the next-stage malware from a compromised server belonging to a Hungarian company. In the rest of the campaigns, ModiLoader downloaded the next stage from Microsoft’s OneDrive cloud storage.

For more information about the ModiLoader campaigns, read the blogpost “Phishing targeting Polish SMBs continues via ModiLoader” on WeLiveSecurity-com.  Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Chain of compromise of ModiLoader phishing campaigns in Poland during May 2024.

• The Hamster Kombat game’s success has attracted malicious actors trying to abuse public interest in the game for monetary gain.
• ESET researchers discovered Android spyware named Ratel pretending to be Hamster Kombat, distributed via an unofficial Telegram channel.
• Android users are also targeted by fake app stores claiming to offer the game but delivering unwanted advertisements instead.
• Windows users can encounter GitHub repositories offering farm bots and auto-clickers that actually contain the infostealer Lumma Stealer cryptors.

BRATISLAVA, KOŠICE — July 23, 2024 — In the past few months, the Telegram clicker game Hamster Kombat has taken the world of cryptocurrency game enthusiasts by storm. As was to be expected, the success of Hamster Kombat has also brought out cybercriminals, who have already started to deploy malware targeting the players of the game. ESET Research has uncovered threats going after both Android and Windows users. Exposing the risks of trying to obtain games and related software from unofficial sources, ESET found several threats in the form of remotely controlled Android malware distributed through an unofficial Hamster Kombat Telegram channel, fake app stores that deliver unwanted advertisements, and GitHub repositories distributing the Lumma Stealer infostealer cryptors for Windows devices while claiming to offer automation tools for the game.

“Even though gameplay, which mostly entails repeatedly tapping the screen of one’s mobile device, might be rather simple, players are after something more: the possibility of earning big once Hamster Kombat’s creators unveil the promised new cryptocoin tied to the game. Unfortunately, we discovered that cybercriminals have also started to capitalize on Hamster Kombat’s popularity,” explains ESET researcher Lukáš Štefanko, who discovered and analyzed the Hamster Kombat threats.

Due to its success, the game has already attracted countless copycats that replicate its name and icon and have similar gameplay. Luckily, all the early examples we found were not malicious but nevertheless aim to make money from in-app advertisements.

ESET has identified and analyzed two types of threats targeting Android users: a malicious app that contains the Android spyware Ratel and fake websites that impersonate app store interfaces claiming to have Hamster Kombat available for download. ESET researchers found a Telegram channel distributing Android spyware, named Ratel, disguised as Hamster Kombat. This malware is capable of stealing notifications and sending SMS messages. The malware operators use this functionality to pay for subscriptions and services with the victim’s funds, without the victim noticing. Upon startup, the app requests notification access permission and asks to be set as the default SMS application. Once these permissions are granted, the malware gets access to all SMS messages and is able to intercept all displayed notifications.

Even though Hamster Kombat is a mobile game, ESET also found malware abusing the game’s name to spread on Windows. Cybercriminals try to entice Windows users with auxiliary tools that claim to make maximizing in-game profits easier for players. ESET research revealed GitHub repositories offering Hamster Kombat farm bots and auto-clickers, which are tools that automate clicks in a game. These repositories actually turned out to be concealing the infamous Lumma Stealer. The GitHub repositories we found either had the malware available directly in the release files or contained links to download it from external file-sharing services. ESET identified three different versions of Lumma Stealers lurking within the repositories.

Lumma Stealer is an infostealer offered as malware-as-a-service, available for purchase on the dark web and on Telegram. First observed in 2022, this malware is commonly distributed via pirated software and spam and targets cryptocurrency wallets, user credentials, two-factor authentication browser extensions, and other sensitive information. Note that Lumma Stealer’s capabilities are not covered in this research since the focus is on the cryptors that deliver this infostealer, not on the infostealer itself.

“Hamster Kombat’s popularity makes it ripe for abuse, which means that it is highly likely that the game will attract more malicious actors in the future,” concludes Štefanko.

For more technical information about Hamster Kombat-related threats, read the blog post “The tapestry of threats targeting Hamster Kombat players” on WeLiveSecurity.com.  Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Example GitHub repository spreading Lumma Stealer via an “offer” for a farm bot

• ESET Research has discovered a sophisticated Chinese browser injector ESET dubbed HotPage.
• It is a signed, vulnerable, ad-injecting driver from a mysterious Chinese company.
• The threat poses as a security product that blocks advertisements; however, it introduces even more ads.
• HotPage can replace the content of the current page, redirect the user, or simply open a new tab to a website full of gaming ads.
• The threat leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system. 

BRATISLAVA, MONTREAL — July 18, 2024 — ESET Research has discovered a sophisticated Chinese browser injector: a signed, vulnerable, ad-injecting driver from a mysterious Chinese company. This threat, which ESET dubbed HotPage, comes self-contained in an executable file that installs its main driver and injects libraries into Chromium-based browsers. Posing as a security product capable of blocking advertisements, it actually introduces new ads. Additionally, the malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of other ads. The malware introduces more vulnerabilities and leaves the system open to even more dangerous threats. An attacker with a non-privileged account could leverage the vulnerable driver to obtain SYSTEM privileges or inject libraries into remote processes to cause further damage, all while using a legitimate and signed driver.

At the end of 2023, ESET researchers stumbled upon an installer named “HotPage.exe” that deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers’ network traffic. The installer was detected by most security products as an adware component. What really stood out to ESET researchers was the embedded driver signed by Microsoft. According to its signature, it was developed by a Chinese company named Hubei Dunwang Network Technology Co., Ltd.

“The lack of information about the company was intriguing. The distribution method is still unclear, but according to our research, this software was advertised as an internet café security solution aimed at Chinese-speaking individuals. It purports to improve the web browsing experience by blocking ads and malicious websites, but the reality is quite different — it leverages its browser traffic interception and filtering capabilities to display game-related ads. It also sends some information about the computer to the company’s server, most likely to gather installation statistics,” explains ESET researcher Romain Dumont, who discovered the threat.

According to available information, the business scope of the company includes technology-related activities such as development, services, and consulting – but also advertising activities. The principal shareholder is currently Wuhan Yishun Baishun Culture Media Co., Ltd., a very small company that looks to be specialized in advertising and marketing. Due to the level of privileges needed to install the driver, the malware might have been bundled with other software packages or advertised as a security product.

Using Windows’ notification callbacks, the driver component monitors new browsers or tabs being opened. Under certain conditions, the adware will use various techniques to inject shellcode into browser processes to load its network-tampering libraries. Using Microsoft’s Detours hooking library, the injected code filters HTTP(S) requests and responses. The malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of gaming ads. On top of its obvious mischievous behavior, this kernel component leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the SYSTEM account. Due to improper access restrictions to this kernel component, any process can communicate with it and leverage its code injection capability to target any non-protected processes.

“The HotPage driver reminds us that abusing Extended Verification certificates is still a thing. As a lot of security models are at some point based on trust, threat actors are inclined to play along the line between legitimate and shady. Whether such software is advertised as a security solution or simply bundled with other software, the capabilities granted thanks to this trust expose users to security risks,” adds Romain.
ESET reported this driver to Microsoft in March 2024 and followed their coordinated vulnerability disclosure process. ESET technologies detect this threat — which Microsoft removed from the Windows Server Catalog on May 1, 2024 — as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.

For more technical information about HotPage, read the blogpost “HotPage: Story of a signed, vulnerable, ad-injecting driver” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

The Chinese company’s certified products listed in the Windows Server Catalog