ESET Partner Hacked to Send Data Erasers to Israeli Organizations

Hackers breached ESET’s exclusive partner in Israel to send phishing emails to Israeli companies that used data erasers disguised as antivirus software to carry out destructive attacks.

A data eraser is malware that intentionally deletes all files on a computer and usually removes or corrupts the partition table to make data recovery more difficult.

In a phishing campaign that began on October 8, emails bearing the ESET logo were sent from the legitimate domain eset.co.il, indicating that the Israeli division’s email server had been hacked as part of the attack.

Although the eset.co.il domain carries ESET content and logos, ESET told BleepingComputer that it is operated by Comsecure, their distributor in Israel.

The emails claim to come from “ESET’s Advanded Threat Defense team”, warning customers that government-backed attackers are trying to target the recipient’s device. To help protect the device, ESET offers a more advanced antivirus tool called “ESET Unleashed” to protect you from the threat.

“Your device has been identified among a list of devices currently being targeted by a state-sponsored threat actor. Information obtained by ESET’s Threat Intelligence division has identified a geopolitically motivated threat group as having attempted to target your computer in the last 14 days of this email,” reads the phishing email obtained by BleepingComputer.

“As part of ESET’s Advanced Threat Defense program (ESET-ATD), ESET gives you access to ESET Unleashed, designed to counter advanced targeted threats, which you can install on up to 5 of your devices.”

From the phishing email headers, BleepingComputer confirmed that the email came from legitimate email servers for eset.co.il, having passed SPF, DKIM, and DMARC authentication tests.

To add further legitimacy to the attack, the link to the download was hosted on the eset.co.il domain at URLs such as https://backend.store.eset.co(.)il/pub/2eb524d79ce77d5857abe1fe4399a58d /ESETUnleashed_081024.zip, which are now disabled.

This ZIP archive (VirusTotal) contains four DLL files digitally signed by ESET’s legitimate code signing certificate and one unsigned Setup.exe file.

All four DLLs are legitimate files distributed as part of ESET’s antivirus software. However, Setup.exe (VirusTotal) is the malicious data eraser.

BleepingComputer tried to test the wiper on a virtual machine, but the executable automatically crashed.

Cybersecurity expert Kevin Beaumont had more success when running on a physical PC, stating that it would access a legitimate Israeli news site at www.oref.org.il.

“etup.exe is malicious. It uses a multitude of obvious techniques to try to evade detection,” Beaumont explains.

“I was only able to properly detonate it on a physical PC. It calls various obviously malicious things, for example it uses a Mutex from the Yanluowang extortion/ransomware group.”

At this time, it is unclear how many companies were targeted by this phishing campaign or how Comsecure, ESET’s Israeli distributor, was hacked.

BleepingComputer has emailed several people at Comsecure, including its CEO, but has yet to receive a response.

Although the attack was not attributed to any particular threat actor or hacktivism, data erasers have long been a popular tool in attacks against Israel.

In 2017, an anti-Israeli and pro-Palestinian data eraser called IsraBye was discovered in attacks on Israeli organizations.

In 2023, Israel suffered a wave of BiBi wiper attacks targeting organizations, particularly in the education and technology sectors.

Many of these attacks were linked to Iranian threat actors, whose goal was not to generate revenue, but rather to sow chaos and disrupt the Israeli economy.