• In the second half of 2023, ESET detected multiple AceCryptor campaigns using the Rescoms remote access tool (RAT) in European countries, mainly Poland, Bulgaria, Slovakia, Spain, and Serbia.
• The threat actor behind these campaigns in some cases abused compromised accounts to send spam emails in order to make them look as credible as possible. 
• The goal of the spam campaigns was to obtain credentials stored in browsers or email clients, which in case of a successful compromise would open possibilities for further attacks.

BRATISLAVA — March 20, 2024 — ESET Research has recorded a dramatic increase in AceCryptor attacks, with ESET detections tripling between the first and second halves of 2023, correlating to the protection of 42,000 ESET users worldwide. Furthermore, in recent months, ESET registered a significant change in how AceCryptor is used, namely that the attackers spreading Rescoms (also known as Remcos) started utilizing AceCryptor, which was not the case beforehand. Rescoms is a remote access tool (RAT) that is often used by threat actors for malicious purposes; AceCryptor is a cryptor-as-a-service that obfuscates malware to hinder its detection. Based on the behavior of deployed malware ESET researchers assume that the goal of these campaigns was to obtain email and browser credentials for further attacks against the targeted companies. The vast majority of AceCryptor-packed Rescoms RAT samples were used as an initial compromise vector in multiple spam campaigns targeting European countries, including Central Europe (Poland, Slovakia), the Balkans (Bulgaria, Serbia), and Spain.

“In these campaigns, AceCryptor was used to target multiple European countries, and to extract information or gain initial access to multiple companies. Malware in these attacks was distributed in spam emails, which were in some cases quite convincing; sometimes the spam was even sent from legitimate, but abused, email accounts,” says ESET researcher Jakub Kaloč, who discovered the latest AceCryptor with Rescoms campaign. “Because opening attachments from such emails can have severe consequences for you or your company, we advise you to be aware about what you are opening and use reliable endpoint security software able to detect this malware,” he adds.

In the first half of 2023, the countries most affected by malware packed by AceCryptor were Peru, Mexico, Egypt, and Türkiye, with Peru, at 4,700, having the greatest number of attacks. Rescoms spam campaigns changed these statistics dramatically in the second half of the year. AceCryptor-packed malware affected mostly European countries.

AceCryptor samples that we’ve observed in the second half of 2023 often contained two malware families as their payload: Rescoms and SmokeLoader. A spike detected in Ukraine was caused by SmokeLoader. On the other hand, in Poland, Slovakia, Bulgaria, and Serbia, increased activity was caused by AceCryptor containing Rescoms as a final payload.

All spam campaigns that targeted businesses in Poland had emails with very similar subject lines about B2B offers for the victim companies. To look as believable as possible, attackers did their research and used existing Polish company names and even existing employee/owner names and contact information when signing those emails. This was done so that in the case of a victim Googling the sender’s name, the search would be successful, which might lead to the victim opening the malicious attachment.

While it is unknown whether the credentials were gathered for the group that carried out these attacks or if those stolen credentials would be later sold on to other threat actors, it is certain that successful compromise opens the possibility for further attacks, especially for ransomware attacks.

In parallel with the campaigns in Poland, ESET telemetry also registered ongoing campaigns in Slovakia, Bulgaria, and Serbia. The only significant difference, of course, was that the language used in the spam emails was localized for those specific countries. Apart from the previously mentioned campaigns, Spain also experienced a surge of spam emails with Rescoms as the final payload.

For more technical information about the AceCryptor and Rescoms RAT campaign, check out the blogpost “Rescoms rides waves of AceCryptor spam”. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

•    STARMUS will bring an inspiring debate on the future of our planet to Bratislava turning the Slovak capital into the world’s science capital for a whole week this May.
•    The world’s most ambitious science and music festival includes lectures, a music program, star gazing, and the STARMUS camp for the general public.
•    The festival will feature the Stephen Hawking Awards Ceremony, with the winners expected to be announced days before the start of the event.
•    STARMUS will bring eight Nobel laureates, astronauts, top researchers, and the greatest thought leaders in climate change, environment, artificial intelligence, and cybersecurity to the city.
•    Tickets are available through www.ticketportal.sk and have gone on sale with an early bird discount available until April 15.

BRATISLAVA – March 21, 2024 – STARMUS, powered by ESET, today announces an unparalleled program for its seventh edition which is set to be the most inspiring debate on the future of our home planet. As announced in May 2023, the prestigious STARMUS festival – the brainchild of astrophysicist Garik Israelian, PhD, and Queen guitarist Sir Brian May, PhD in astrophysics – will hold its next edition in Bratislava this May.  

STARMUS will kick off with a performance by a legendary musician to be announced soon with the full line-up, followed by a four-day program of STARMUS Exclusive Talks with more than 50 world-class speakers and world-renowned artists in Bratislava´s Ice Hockey Stadium, The Ondrej Nepela Arena.

ESET, a global leader in cybersecurity, has consistently advocated for the progress of science and its transformative impact on society. The company firmly believes in the potential of science to drive significant progress for humanity and is committed to safeguarding this progress by providing AI-native security solutions.

“I believe that our role here at ESET is more than just technology development and innovation. We stand for protecting the progress society is making. And we believe this progress is brought by science. Science brings solutions to many of humanity’s challenges. The work that we do to protect our communities from cyber threats, is just a small piece of what the wider scientific community is doing to protect people from disease, help technological progress, and educate everyone around the world.”  said Richard Marko, ESET CEO,who is also giving a talk named Tech for Earth: Rethinking Cybersecurity in the Age of Global Challenges during the second day of the conference. He will be joined by Starmus speakers, including astronaut Charlie Duke and technology visionary Tony Fadell.

STARMUS, in its first edition focusing on Planet Earth, will feature Nobel laureates, such as Michel Mayor, Emmanuelle Charpentier, and Kip Thorne; astronauts who made history as part of the space race – namely Charlie Duke or Chris Hadfield– and world icons, including Jane Goodall and the music legend Sir Brian May, co-founder of the festival.

The festival will also showcase exclusive performances from the popular Californian punk-rock band The Offspring, Tony Hadley, the former lead singer of the British pop icon from the 80s Spandau Ballet, and more one-off live performances to be announced soon with the full line-up.

One of the festival’s highlights will be the ceremony for the Stephen Hawking Medal for Science Communication which awards excellence across four categories: Music & Arts, Science Writing, Films & Entertainment, and Lifetime Achievement.

This year, STARMUS, powered by ESET, is sponsored by VÚB Banka, OMEGA, and KIA Slovakia. The festival will be held under the auspices of the President of the Slovak Republic and the Mayor of Bratislava and under the patronage of the European Commission Representation in Slovakia.

Ticket Information:
Tickets, available at www.ticketportal.sk and www.starmus.com include access to all festival events. Early bird discounts are available until April 15. Student Tickets for 98 euros and General Attendees tickets for 198 euros. Subsequently, tickets will be priced at 150 euros for Students and 250 euros for General Attendees.

The tickets include STARMUS Exclusive Lectures (May 13-17), Star Party (May 14), Stephen Hawking Medial Award Ceremony & Sonic Universe Concert (May 15).

To learn more about STARMUS click here. 

• ESET Research discovered a cyberespionage campaign that leverages the Monlam Festival — a religious gathering — to target Tibetans in several countries and territories. ESET attributes this campaign with high confidence to the China-aligned Evasive Panda Advanced Persistent Threat (APT) group.
• The attackers compromised the website of the organizer of the annual festival, which takes place in India, and added malicious code to create a watering-hole attack targeting users connecting from specific networks.
• ESET also discovered that a software developer’s supply chain was compromised and trojanized installers for both Windows and macOS were served to users. 
• The attackers fielded a number of malicious downloaders and full-featured backdoors for the operation, including a publicly undocumented backdoor for Windows “Nightdoor.”
• Targeted users were located in India, Taiwan, Hong Kong, Australia, and the United States (including at Georgia Tech).

BRATISLAVA, MONTREAL — March 7, 2024 — ESET researchers have discovered a cyberespionage campaign that, since at least September 2023, has been victimizing Tibetans via a targeted watering hole (also known as a strategic web compromise), and a supply-chain compromise to deliver trojanized installers of Tibetan language translation software. The attackers aimed to deploy malicious downloaders for both Windows and macOS to compromise website visitors with MgBot as well as a backdoor that has not been publicly documented yet; ESET has named it Nightdoor. The campaign by the China-aligned Evasive Panda APT group leveraged the Monlam Festival — a religious gathering — to target Tibetans in several countries and territories. Targeted networks were located in India, Taiwan, Hong Kong, Australia, and the United States.

ESET discovered the cyberespionage operation in January 2024. The compromised website abused as a watering hole (the attacker infests a website that the victim likely or regularly uses) belongs to Kagyu International Monlam Trust, an organization based in India that promotes Tibetan Buddhism internationally. The attack might have been intended to capitalize on international interest in the Kagyu Monlam Festival that is held annually in January in the city of Bodhgaya, India. The network of the Georgia Institute of Technology (also known as Georgia Tech) in the United States is among the identified entities in the targeted IP address ranges. In the past, the university was mentioned in connection with the Chinese Communist Party’s influence on education institutes in the U.S.