Israeli orgs targeted with wiper malware via ESET-branded emails
Attackers have tried to deliver wiper malware to employees at organizations across Israel by impersonating cybersecurity company ESET via email.
The phishing email
The attack took the form of a phishing email ostensibly sent by the “Eset Advanced Threat Defense Team”, warning that state-backed hackers have tried compromising the target’s device(s).
The phishing email (Source: A user of the ESET Security Forum)
The email was posted on ESET Security Forum’s on October 8 by a recipient asking for confirmation that it was a phishing attempt.
“I managed to obtain the email, which passes both DKIM and SPF checks for coming from ESET’s store,” security researcher Kevin Beaumont shared.
“Additionally, the link is indeed to backend.store.eset.co.il — owned by ESET Israel.”
Beaumont also managed to get his hands on the ZIP file the targets were instructed to download and, after analyzing it, he realized it was a wiper masquerading as ransomware.
ESET Israel Wiper – as he dubbed the malware – “needs a physical [PC] and time to detonate.”
Since the start of the most recent Gaza–Israel conflict in October 2023, Israeli companies have repeatedly been targeted with wiper malware.
ESET confirms incident
Beaumont’s probing into the matter forced ESET Research to publicly disclose a “security incident” that happened a week ago at a partner company in Israel.
“Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure. ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation,” ESET’s research arm added.
“ESET Israel is operated by a company called ComSecure Ltd under the ESET brand – based on ESET’s statement, I presume ComSecure were the hacked party. Either way, it’s got ESET’s name on the emails and downloads and it was sent from partner infrastructure,” Beaumont noted.
For now, account compromise seems like the most likely explanation for how the attackers managed to swing this.