ESET Smart Security Standard Edition

Malware and antivirus software

Internet Security for Home Users

Share |

ESET Smart Security utilizes the power of the cloud and multiple layers of detection to keep out threats and block
all potential attacks vectors protecting you at the highest level while you work, social network, play online games
or exchange data via removable media.

 

All-in-one Security Suite

ESET Smart Security 5 keeps your computer or laptop safe with intelligent multi-layered protection combining proven antivirus, antispyware, firewall, anti-rootkit and antispam capabilities.

Next Gen Security

The new generation of computer security boasts a large array of security features, usability enhancements and scanning technology improvements in defense of your your online life.

Bulking up Your Defenses

We have built a high-performing security solution against all internet threats, and to secure your personal data and sensitive information whether online or off.  Take your computer security to a whole new level.

Key Features and Benefits

ESET Live Grid (Cloud-powered Reputation) NEW
Delivers optimized real-time protection against Internet threats and social media exploits.

Parental Control NEW
Protects your family from potentially offensive web content by blocking various website categories.

Smart Detection
Advanced heuristic detection technology flags even never-before-seen malware protecting you from unknown threats and neutralizing them before they can do any harm.

Intelligent Firewall
New and improved firewall module prevents unauthorized users from accessing your computer and taking advantage of your personal data.

Improved Antispam
Tightly integrated into ESET Smart Security, the antispam module has undergone a thorough optimization for even higher level of filtering precision.

Enhanced Media Control NEW
Automatically scans all USB flash drives, memory cards and CDs/DVDs. Block removable media based on type of media, manufacturer, size and other attributes.

Advanced HIPS Functionality NEW
This one is for real geeks – now you can customize the behavior of the system in greater detail: specify rules for the system registry, active processes and programs, and fine-tune your security posture.

Gamer Mode NEW
Postpones all pop-up windows, updates or other system-intensive activities to conserve system resources for gaming or other full-screen activities.

Optimized Startup Procedure NEW
No more waiting for signature database download to complete – ESET Smart Security 5 lets you start working immediately after booting, without compromising your security.

 

 

ESET Unilicense – Secure them All! 

ESET's unique Unilicense system allows you to extend protection to all operating systems running on a single machine – Windows, Mac OS or Linux – at no additional cost!

With Unilicense, multi-license holders can deploy ESET security solutions on operating systems of choice in a mix-and-match fashion to meet all their security needs.

Engineered around You: Just install and forget

User-centered Layout puts you in perfect control with the deshboard-like look of the "Tools" panel that is now even more intuitive and transparent. Also the most frequently used actions are available from all screens.

Find Your Own Security Posture with intuitive interface and fine-tuning options lets you find the best-fit security posture and keeps you abreast of vital security events and overall security status.

Light Footprint ensures a continual level of protection and smooth performance, while the energy-saving mode conserves resources even further - ideal for laptop users and gamers.

Awards

AV-Comparatives – ESET has received the most "Advanced+" awards in proactive tests from AV-Comparatives of all Antivirus vendors.

Virus Bulletin – ESET NOD32 Antivirus has achieved the highest number of Virus Bulletin VB100 Awards, and never missed a single "In the Wild" virus, a testament to the consistent high-quality performance of ESET security across all platforms.

More info

 

System Requirements

Processor Architecture
i386 (Intel® 80386), amd64 (x86-64)

Operating Systems
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Home Server

Free Disk Space: 400 MB

Memory Consumption: 100 MB

Internet connection is required for product activation.

Malware and antivirus software

ESET Research discovers financial fraud using novel phishing method tailored to Android and iPhone users

  • Standard phishing delivery techniques were combined with a novel method of phishing, targeting Android and iPhone (iOS) users via PWAs, and on Android also via WebAPKs, ESET Research discovers.
  • Installations of PWA/WebAPK applications do not include warnings to the user concerning the installation of a third-party application.
  • On Android, these phishing WebAPKs even appear to have been installed from the Google Play store.
  • Most of the observed applications targeted clients of Czech banks, but ESET also spotted  apps targeting banks in both Hungary and Georgia.
  • Based on the C&C servers utilized, and the backend infrastructure, ESET concludes that two different threat actors were operating the campaigns.
  • ESET notified the victims' banks in order to protect them, and assisted with the takedowns of multiple phishing domains and C&C servers.

BRATISLAVA, PRAGUEAugust 20, 2024 — ESET Research discovered an uncommon type of phishing campaign targeting mobile users, and analyzed a case observed in the wild that targeted clients of a prominent Czech bank. This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation. On Android, this could result in the silent installation of a special kind of APK, which even appears to be installed from the Google Play store. The threat targeted iPhone (iOS) users as well.

The phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home screens, while on Android, the PWA is installed after confirming custom pop-ups in the browser. At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic. PWAs are essentially websites bundled into what feels like a stand-alone application, with this feeling being enhanced by the use of native system prompts. PWAs, just like websites, are cross-platform, which explains how these PWA phishing campaigns can target both iOS and Android users. The novel technique was observed in Czechia by ESET analysts working on the ESET Brand Intelligence Service, which provides monitoring of threats targeting a client’s brand.

“For iPhone users, such an action might break any ‘walled garden’ assumptions about security,” says ESET researcher Jakub Osmani, who analyzed the threat.

ESET analysts’ discovery of a series of phishing campaigns, targeting mobile users, used three different URL delivery mechanisms. These mechanisms include automated voice calls, SMS messages, and social media malvertising. The voice call delivery is done via an automated call that warns the user about an out-of-date banking app, and asks the user to select an option on the numerical keyboard. After  the correct button is pressed, a phishing URL is sent via SMS, as was reported in a tweet. Initial delivery by SMS was performed by sending messages indiscriminately to Czech phone numbers. The message sent included a phishing link and text to socially engineer victims into visiting the link. The malicious campaign was spread via registered advertisements on Meta platforms like Instagram and Facebook. These ads included a call to action, like a limited offer for users who “download an update below.”

After opening the URL delivered in the first stage, Android victims are presented with two distinct campaigns, either a high-quality phishing page imitating the official Google Play store page for the targeted banking application, or a copycat website for that application. From here, victims are asked to install a “new version” of the banking app.

The phishing campaign and method are possible only because of the technology of progressive web applications. In short, PWAs are applications built using traditional web application technologies that can run on multiple platforms and devices. WebAPKs could be considered an upgraded version of progressive web apps, as the Chrome browser generates a native Android application from a PWA: in other words, an APK. These WebAPKs look like regular native apps. Furthermore, installing a WebAPK does not produce any of the “installation from an untrusted source” warnings. The app will even be installed if installation from third-party sources is not allowed.

One group used a Telegram bot to log all entered information into a Telegram group chat via the official Telegram API, while another used a traditional Command & Control (C&C) server with an administrative panel. “Based on the fact that the campaigns used two distinct C&C infrastructures, we have determined that two separate groups were operating the PWA/WebAPK phishing campaigns against several banks,” concludes Osmani. Most of the known cases have taken place in Czechia, with only two phishing applications appearing outside of the country (specifically in Hungary and Georgia).

All sensitive information found by ESET research on this matter was promptly sent to the affected banks for processing. ESET also assisted with the takedowns of multiple phishing domains and C&C servers.

For more technical information about this novel phishing threat, check out the blogpost “Be careful what you pwish for – Phishing in PWA applications” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Malware and antivirus software

ESET Research discovers NGate: Android malware, which relays NFC traffic to steal victim’s cash from ATMs

  • Attackers combined standard malicious techniques – social engineering, phishing, and Android malware – into a novel attack scenario; ESET suspects that messages impersonating Czech banks were sent to random phone customers in Czechia, and they caught customers of three banks.
  • According to ESET Brand Intelligence Service data, the group had operated since November 2023 in Czechia, and, as of March 2024, the rating of the group's techniques improved via the deploying of the NGate Android malware.
  • Attackers were able to clone NFC data from victims' physical payment cards using NGate, and relay this data to an attacker’s device, which was then able to emulate the original card, and withdraw money from an ATM.
  • This is the first time we have seen Android malware with this capability being used in the wild, and without the victims having had their devices rooted.

BRATISLAVA, KOŠICEAugust 22, 2024 — ESET researchers uncovered a crimeware campaign that targeted clients at three Czech banks. The malware used, which ESET has named NGate, has the unique ability to relay data from victims’ payment cards via a malicious app installed on their Android devices, to the attacker’s rooted Android phone. The primary goal of this campaign was to facilitate unauthorized ATM withdrawals from the victims’ bank accounts. This was achieved by relaying near field communication (NFC) data from the victims’ physical payment cards, via their compromised Android smartphones, by using the NGate Android malware, to the attacker’s device. The attacker then used this data to perform ATM transactions. If this method failed, the attacker had a fallback plan to transfer funds from the victims’ accounts to other bank accounts.

“We haven’t seen this novel NFC relay technique in any previously discovered Android malware. The technique is based on a tool called NFCGate, designed by students at the Technical University of Darmstadt, Germany, to capture, analyze, or alter NFC traffic; therefore, we named this new malware family NGate,” says Lukáš Štefanko, who discovered the novel threat and technique.

Victims downloaded and installed the malware after being deceived into thinking they were communicating with their bank and that their device was compromised. In reality, the victims had unknowingly compromised their own Android devices by previously downloading and installing an app from a link in a deceptive SMS message about a potential tax return.

It’s important to note that NGate was never available on the official Google Play store.

NGate Android malware is related to the phishing activities of a threat actor that has operated in Czechia since November 2023. However, ESET believes these activities were put on hold following the arrest of a suspect in March 2024. ESET Research first noticed the threat actor targeting clients of prominent Czech banks starting at the end of November 2023. The malware was delivered via short-lived domains impersonating legitimate banking websites or official mobile banking apps available on the Google Play store. These fraudulent domains were identified through the ESET Brand Intelligence Service, which provides monitoring of threats targeting a client’s brand. During the same month, ESET reported the findings to its clients.

The attackers leveraged the potential of progressive web apps (PWAs), as ESET reported in a previous publication, only to later refine their strategies by employing a more sophisticated version of PWAs known as WebAPKs. Eventually, the operation culminated in the deployment of NGate malware.

In March 2024, ESET Research discovered that NGate Android malware became available on the same distribution domains that were previously used to facilitate phishing campaigns delivering malicious PWAs and WebAPKs. After being installed and opened, NGate displays a fake website that asks for the user’s banking information, which is then sent to the attacker’s server.

In addition to its phishing capabilities, NGate malware also comes with a tool called NFCGate, which is misused to relay NFC data between two devices – the device of a victim and the device of the perpetrator.  Some of these features only work on rooted devices; however, in this case, relaying NFC traffic is possible from non-rooted devices as well. NGate also prompts its victims to enter sensitive information like their banking client ID, date of birth, and the PIN code for their banking card. It also asks them to turn on the NFC feature on their smartphones. Then, victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card.

In addition to the technique used by the NGate malware, an attacker with physical access to payment cards can potentially copy and emulate them. This technique could be employed by an attacker attempting to read cards through unattended purses, wallets, backpacks, or smartphone cases that hold cards, particularly in public and crowded places. This scenario, however, is generally limited to making small contactless payments at terminal points.
 
“Ensuring protection from such complex attacks requires the use of certain proactive steps against tactics like phishing, social engineering, and Android malware. This means checking URLs of websites, downloading apps from official stores, keeping PIN codes secret, using security apps on smartphones, turning off the NFC function when it is not needed, using protective cases, or using virtual cards protected by authentication,” advises Štefanko.

For more technical information about the novel NFC threat, check out the blogpost “NGate Android malware relays NFC traffic to steal cash” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Overview of the attack

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Malware and antivirus software

How Minecraft and game modding can undermine your security

ESET Research has revealed a concerning fact — gamers are being targeted by cybercriminals, and it’s no mystery why they are such meaty targets.

The gaming industry is huge — some games generate millions in monthly revenue, satisfying gamers and executives simultaneously. However, in some cases, gaming can present some very real dangers that are a bit more severe than getting a virtual arrow in your knee.

I wanna be, the very best

How far will a person go to excel in their game?

With the advent of online gaming, more and more people are playing together in real-time, leading to more social interactions than ever before. This can lead to a lot of pressure, especially when playing online games with a player vs. player (PVP) aspect like multiplayer shooters or battle arenas.

When you want to be the best, you will focus on improving your skills, right? Well, quite a few people would rather cheat their way to the top of the rankings, raking in the gain without the pain.

Cybercriminals know this, which is why when venturing online, gamers can find a multitude of interesting cheats like wall hacks or aimbots for better visibility and accuracy to help up their game. What they don’t know is that these cheats are often loaded with malware, hence cheating your way to the top can lead to someone else taking a peek at your personal data via infostealers such as RedLine Stealer or Lumma Stealer, which ESET Research’s telemetry confirm as quite active.

What is an infostealer?

An infostealer is a piece of malware that, after infecting your computer, starts exfiltrating (stealing) information from the compromised device. Such data can include credentials saved in browsers, financial information, browser cookies, crypto wallets, or others.

These are often sold as a service, with RedLine Stealer costing just $150 per month. To make matters worse, like home automation software, RedLine works through a simple dashboard, making its deployment to victims hassle-free.

The game has just begun

However, cheats are not the only attack vectors for infostealers to infiltrate your device.

When you really like a game, like Minecraft, for example, you might want to go beyond what the developer offers with the default set of assets and gameplay scenarios. For example, players of the Java version of Minecraft often modify their worlds by adding additional creatures, building blocks, or more ways to use redstone, leading to creations such as functional computers inside the game (the creativity is limitless, really).

While it is great that players seek more creative ways to redefine their game experiences, cybercriminals also abuse this. You see, mods (game modifications) are usually available as downloads —– for Minecraft, typically on web pages like Planet Minecraft or Minecraft Mods. These are all publicly available platforms, hence why cybercriminals try to exploit such places with their nefarious prospecting by updating modifications and injecting them with malicious code. Such was the case reported by Bleeping Computer, when hackers compromised several accounts on modding platforms to distribute infostealers, hijacking existing projects.

Sadly, sometimes not even official resources are free of exploitation due to various vulnerabilities, as was the case when 50,000 Minecraft accounts were infected due to skins injected with malware capable of reformatting hard drives and deleting backups plus system programs, offered as a download on the game’s website.

Since it's usually kids (based on 2021 stats) who play Minecraft, they probably do so on shared family computers and home networks, hence the resulting damage can spill over to their parents. What’s worse, instead of an infostealer, a computer could get infected with ransomware, but that is more of a concern for gaming companies, who are targeted for monetary reasons.

Did you know?

Ransomware is a threat shared by people and businesses alike. In the world of gaming, a famous example is the 2023 Rhysida ransomware attack on Insomniac Games, the developer behind games such as Spider-Man and the Ratchet and Clank series. As a result of the attack, terabytes of data on both their past projects, as well as net-new, have been leaked.

Nothing is true; everything is permitted

Apart from infostealers, phishing is also trendy in gaming circles. As pictured below, gaming placed No. 10 in the top phishing website category by ESET Research.

Source: ESET Threat Report H1 2024

To paint a picture of how this happens, consider when a gamer is playing an online MMO like World of Warcraft or a game with virtual currency such as Fortnite.

Character skins and various XP boosts might require you to purchase them with said virtual currency. In WoW’s case, for example, there’s the WoW token. You either purchase one with in-game gold for gametime or Battle.net balance (enabling real currency purchases), or do the opposite and purchase one for an influx of in-game gold with real money. Imagine it as a foreign exchange of sorts.

Similarly, in Fortnite, V-Bucks are used to purchase outfits, emotes, and Battle Passes. All these are rather tempting for various reasons, especially when you want to stand out among an online crowd.

Kids, teenagers, and even adults don’t know better sometimes. Via the chat functions in these games (unless disabled or if the account has a parental lock), gamers can be tempted by fellow players to visit certain websites to receive either currency for free! Just insert your login details and you’ll immediately receive an influx of your desired virtual cash/token. Or, more likely, your credentials and account will get stolen, since now you’ve been successfully phished by a cybercriminal.

Infostealer detections

ESET telemetry continues to detect threats like RedLine Stealer and Lumma Stealer, with the former achieving localized detection peaks coming mostly from states such as Germany, Spain, and Japan.

Source: ESET Threat Report H1 2024

On the other hand, Lumma switched its malware to a new variant, leading to a growing trend in its detections as Win/Spy.Agent.QLD.

Source: ESET Threat Report H1 2024

Both infostealers have been detected in payloads of files masking themselves as cheating tools or video game cracks (game executables bypassing copy protection). All in all, infostealers have seen a slight rise compared to the previous period (4% increase) globally.

Global infostealer detections. This also includes non-gaming-related ones.
(Source: ESET Threat Report H1 2024)

ESET has also detected Epsilon Stealer (as JS/PSW.Agent trojan variants .CH and .CI). It was recently present in a popular mod of Slay the Spire, pushed through the Steam update system, after having breached the developer accounts on Steam and Discord. Once installed, Epsilon looks to exfiltrate cookies, saved passwords, and credit card details from web browsers, plus login info for Steam, Windows, and other accounts.

Stay awhile and listen

To protect against infostealers and other malicious threats, your best bet is to raise your protection with strong next-gen security software like ESET Home Security, and thanks to ESET telemetry and ESET LiveSense security layers, it can assure a strong safety net in case a modpack gets infected or If someone downloads an infected executable that had already been caught by one of our global sensors.

The same software also offers anti-phishing protection and secure browsing to block suspicious websites or emails, and to guarantee a safe browsing experience while socializing online.

As for account security, use diverse passwords (we recommend using the ESET Password Generator to ensure their strength), store your credentials in password managers (instead of browsers), and use app or biometrics-based multi-factor authentication instead of SMS to add another layer to your account’s security, keeping threat actors at bay.

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Malware and antivirus software

ESET Research: Spy group exploits WPS Office zero day; analysis uncovers a second vulnerability

  • South Korea-aligned advanced persistent threat group APT-C-60 weaponized a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) in order to target East Asian countries. ESET Research discovered the vulnerability and provides a root cause analysis, along with a description of its weaponization.
  • A strange spreadsheet document referencing one of the group’s many downloader components pointed to APT-C-60.
  • The exploit is deceptive enough to trick users into clicking on a legitimate-looking spreadsheet while also being very effective and reliable. The choice of the MHTML file format allowed the attackers to turn a code execution vulnerability into a remote one.
  • While analyzing the vulnerability, ESET Research discovered another way to exploit it (CVE-2024-7263).
  • Following our coordinated vulnerability disclosure policy, as Kingsoft acknowledged and patched both vulnerabilities, we provide a detailed analysis.

BRATISLAVA, MONTREALAugust 28, 2024 — ESET researchers discovered a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262). It was being exploited by APT-C-60, a South Korea-aligned cyberespionage group, to target East Asian countries. When examining the root cause, ESET discovered another way to exploit the faulty code (CVE-2924-7263). Following a coordinated disclosure process, both vulnerabilities are now patched. The final payload in the APT-C-60 attack is a custom backdoor with cyberespionage capabilities that ESET Research internally named SpyGlace.

“While investigating APT-C-60 activities, we found a strange spreadsheet document referencing one of the group’s many downloader components. The WPS Office software has over 500 million active users worldwide, which makes it a good target to reach a substantial number of individuals, particularly in the East Asia region,” says ESET researcher Romain Dumont, who analyzed the vulnerabilities. During the coordinated vulnerability disclosure process between ESET and the vendor, DBAPPSecurity independently published an analysis of the weaponized vulnerability and confirmed that APT-C-60 has exploited the vulnerability to deliver malware to users in China.

The malicious document comes as an MHTML export of the commonly used XLS spreadsheet format. However, it contains a specially crafted and hidden hyperlink designed to trigger the execution of an arbitrary library if clicked when using the WPS Spreadsheet application. The rather unconventional MHTML file format allows a file to be downloaded as soon as the document is opened; therefore, leveraging this technique while exploiting the vulnerability provides for remote code execution.

“To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share, and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this,” explains Dumont. “When opening the spreadsheet document with the WPS Spreadsheet application, the remote library is automatically downloaded and stored on disk,” he adds.

Since this is a one-click vulnerability, the exploit developers embedded a picture of the spreadsheet’s rows and columns inside to deceive and convince the user that the document is a regular spreadsheet. The malicious hyperlink was linked to the image so that clicking on a cell in the picture would trigger the exploit.

“Whether the group developed or bought the exploit for CVE-2024-7262, it definitely required some research into the internals of the application but also knowledge of how the Windows loading process behaves,” concludes Dumont.

After analyzing Kingsoft’s silently released patch, Dumont noticed that it had not properly corrected the flaw and discovered another way to exploit it due to an improper input validation. ESET Research reported both vulnerabilities to Kingsoft, who acknowledged and patched them. Two high severity CVE entries were created: CVE-2024-7262 and CVE-2024-7263.

The discovery underlines the importance of a careful patch verification process and making sure that the core issue has been addressed in full. ESET strongly advises WPS Office for Windows users to update their software to the latest release.

For more technical information about the WPS Office vulnerabilities and exploits, check out the blog post “Analysis of two arbitrary code execution vulnerabilities affecting WPS Office” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Malware and antivirus software

ESET Research: CosmicBeetle group joins forces with other ransomware gangs, targets businesses in Europe and Asia

  • ESET Research investigated ScRansom, a novel ransomware developed by the CosmicBeetle threat group.
  • CosmicBeetle has been experimenting with the leaked LockBit builder and trying to mimic LockBit’s brand.
  • Furthermore, CosmicBeetle is likely a recent affiliate of the ransomware-as-a-service actor RansomHub, active since March 2024.
  • ScRansom is continually improving; however, it is impossible to restore some files.
  • CosmicBeetle exploits years-old vulnerabilities to breach SMBs with a focus on Europe and Asia.

BRATISLAVA, PRAGUESeptember 10, 2024 — ESET researchers have mapped the recent activities of the CosmicBeetle threat group, documenting its new ScRansom ransomware being deployed and discovering connections to other well-established ransomware gangs. CosmicBeetle has been spreading ransomware to small and medium businesses (SMBs), mainly in Europe and Asia. ESET Research has observed the threat actor using the leaked LockBit builder and trying to leverage LockBit’s ransomware reputation. Besides LockBit, ESET believes that CosmicBeetle is probably a new affiliate of ransomware-as-a-service actor RansomHub, a new ransomware gang active since March 2024 with rapidly increasing activity.

“Probably due to the obstacles that writing custom ransomware from scratch brings, CosmicBeetle attempted to leech off LockBit’s reputation, possibly to mask the issues in the underlying ransomware and in turn to increase the chance that victims would pay,” says ESET researcher Jakub Souček, who analyzed the latest activity of CosmicBeetle. “Additionally, recently, we observed the deployment of ScRansom and RansomHub payloads on the same machine only a week apart. This execution of RansomHub was very unusual compared to the typical cases we have seen in ESET telemetry, but quite similar to CosmicBeetle’s modus operandi. Since there are no public leaks of RansomHub, this leads us to believe with medium confidence that CosmicBeetle may be a recent affiliate of theirs,” adds Souček.

CosmicBeetle often uses brute-force methods to breach its targets. Besides that, it misuses various known vulnerabilities. Small and medium-sized businesses from all sorts of verticals all over the world are the most common victims of this threat actor because that is the segment most likely to use the affected software, or lack robust patch management processes in place. ESET Research has observed attacks on SMBs in the following verticals: manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality leisure, financial services, and regional government.

Besides encrypting, ScRansom can also kill various processes and services on the affected machine. ScRansom is not a very sophisticated piece of ransomware, though CosmicBeetle has been able to compromise interesting targets and cause great harm to them. This is mostly because CosmicBeetle is an immature actor in the ransomware world, and problems plague the deployment of ScRansom. Victims affected by ScRansom, who decide to pay, should be cautious.

ESET Research was able to obtain a decryptor implemented by CosmicBeetle for its recent encryption scheme. ScRansom is undergoing constant development, which is never a good sign for ransomware. The overcomplexity of the encryption (and decryption) process is prone to errors, making restoration of all files doubtful. Successful decryption relies on the decryptor working properly and on CosmicBeetle providing all the necessary keys, and even in that case, some files may be destroyed permanently by the threat actor. Even in the best-case scenario, decryption is long and complicated.

CosmicBeetle, active since at least 2020, is the name ESET researchers assigned to a threat actor discovered in 2023. This threat actor is most known for the usage of its custom collection of Delphi tools, commonly called Spacecolon, consisting of ScHackTool, ScInstaller, ScService, and ScPatcher.

For more technical information about the latest activity of CosmicBeetle, check out the blogpost “CosmicBeetle steps up: Probation period at RansomHub” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Heatmap of CosmicBeetle attacks since August 2023, according to ESET telemetry




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.