Editing ESET (section)

== Malware research ==
ESET dedicates part of its operations to malware research, as well as to the monitoring of [[Advanced persistent threat|advanced persistent threat groups]] and other cybercriminal groups, with 40% of the company's employees working in research.<ref>{{Cite web |last=Revue |first=I. C. T. |date=2019-04-29 |title=ICT Revue |url=https://ictrevue.hn.cz/c3-66562280-0ICT00_d-66562280-eset-uzavrel-partnerstvi-se-spolecnosti-chronicle-ze-skupiny-alphabet |access-date=2022-08-16 |website=ICT Revue |language=cs}}</ref>

One of the groups that ESET tracked is [[Sandworm (hacker group)|Sandworm]]. After the [[2015 Ukraine power grid hack|2015 attack]] on the Ukrainian power grid and the global [[Petya (malware)|NotPetya]] ransomware attack in 2017 – both attributed to [[Sandworm (hacker group)|Sandworm]] – ESET discovered Sandworm (more specifically, a subgroup that ESET tracks as TeleBots) deploying a new backdoor called Exaramel, which is a version of the main [[Industroyer]] backdoor. As Industroyer was used in the 2016 blackout in Ukraine,<ref>{{Cite web |title=Industroyer: An in-depth look at the culprit behind Ukraine's power grid blackout |url=https://www.zdnet.com/article/industroyer-an-in-depth-look-at-the-culprit-behind-ukraines-power-grid-blackout/ |access-date=2022-08-16 |website=ZDNet |language=en}}</ref> ESET linked Industroyer to NotPetya, as well as to [[BlackEnergy]], which was used in the 2015 blackout.<ref>{{Cite magazine |last=Greenberg |first=Andy |title=Here's the Evidence That Links Russia's Most Brazen Cyberattacks |language=en-US |magazine=Wired |url=https://www.wired.com/story/sandworm-russia-cyberattack-links/ |access-date=2022-08-16 |issn=1059-1028}}</ref>

At the time of the NotPetya outbreak, ESET and Cisco tracked down the point from which the global ransomware attack had started to companies afflicted with a TeleBots backdoor, resulting from the compromise of M.E.Doc, a popular financial software in Ukraine.<ref>{{Cite web |title=M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013 |url=https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoored-3-times-servers-left-without-updates-since-2013/ |access-date=2022-08-16 |website=BleepingComputer |language=en-us}}</ref>

In March 2021, when Microsoft released out-of-band patches to fix the [[2021 Microsoft Exchange Server data breach|ProxyLogon]] vulnerability affecting on-premises versions of [[Microsoft Exchange Server]], ESET discovered more than 10 APT groups leveraging the vulnerability to compromise them. ProxyLogon allows an attacker to take over any reachable Exchange server, even without knowing valid account credentials.{{Citation needed|date=April 2023}}

In addition, ESET found that multiple threat actors had access to the details of the vulnerabilities even before the release of the patches. Except for DLTMiner, which is linked to a known cryptomining campaign, all of these threat actors are APT groups interested in espionage: Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad activity, The "Opera" Cobalt Strike, IIS backdoors, Mikroceen, DLTMiner,<ref>{{Cite web |title=More hacking groups join Microsoft Exchange attack frenzy |url=https://www.bleepingcomputer.com/news/security/more-hacking-groups-join-microsoft-exchange-attack-frenzy/ |access-date=2022-08-16 |website=BleepingComputer |language=en-us}}</ref> and FamousSparrow.<ref>{{Cite web |title=Hacking group used ProxyLogon exploits to breach hotels worldwide |url=https://www.bleepingcomputer.com/news/security/hacking-group-used-proxylogon-exploits-to-breach-hotels-worldwide/ |access-date=2022-08-16 |website=BleepingComputer |language=en-us}}</ref>

Another focus of ESET's research is on threats to Android devices. ESET discovered the first clipper malware in the [[Google Play|Google Play Store]] called Android/Clipper.C,<ref>{{Cite web |last=Goodin |first=Dan |date=2019-02-09 |title=Google Play caught hosting an app that steals users' cryptocurrency |url=https://arstechnica.com/information-technology/2019/02/google-play-caught-hosting-an-app-that-steals-users-cryptocurrency/ |access-date=2022-08-16 |website=Ars Technica |language=en-us}}</ref> which can manipulate [[Clipboard (computing)|clipboard]] content. In the case of a [[cryptocurrency]] transaction, a wallet address copied to the clipboard could be quietly switched to one belonging to the attacker.{{Citation needed|date=May 2023}}

In the area of IoT research, ESET discovered the [[Kr00k|KrØØk]] vulnerability (CVE-2019-15126) in [[Broadcom Inc.|Broadcom]] and [[Cypress Semiconductor|Cypress]] Wi-Fi chips, which allows [[Wi-Fi Protected Access|WPA2]]-encrypted traffic to be encrypted with an all zero session key following a Wi-Fi disassociation.<ref>{{Cite web |title=New Kr00k vulnerability lets attackers decrypt WiFi packets |url=https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/ |access-date=2022-08-16 |website=ZDNet |language=en}}</ref> Then ESET discovered another KrØØk related vulnerability (CVE-2020-3702) in chips by [[Qualcomm]] and [[MediaTek]], as well as in the Microsoft Azure Sphere development kit, with the main difference being that the traffic is not encrypted at all.<ref>{{Cite web |title=KrØØk attack variants impact Qualcomm, MediaTek Wi-Fi chips |url=https://www.bleepingcomputer.com/news/security/kr-k-attack-variants-impact-qualcomm-mediatek-wi-fi-chips/ |access-date=2022-08-16 |website=BleepingComputer |language=en-us}}</ref>

Other notable research includes the discovery of LoJax, the first [[Unified Extensible Firmware Interface|UEFI]] [[rootkit]] found in the wild, which was used in a campaign by the [[Fancy Bear|Sednit]] (aka Fancy Bear) [[Advanced persistent threat|APT]] group. LoJax is written to a system's [[Serial Peripheral Interface|SPI]] flash memory from where it is able to survive an [[Operating system|OS]] reinstall and a [[Hard disk drive|hard disk]] replacement. LoJax can drop and execute malware on disk during the [[Booting|boot process]].<ref>{{Cite web |last=Dunn |first=John E. |title=Ransomware's Next Nasty Surprise: Pay Up Or We'll Brick Your PC's UEFI Firmware |url=https://www.forbes.com/sites/johndunn/2020/12/18/ransomwares-next-nasty-surprise-pay-up-or-well-brick-your-pcs-uefi-firmware/ |access-date=2022-08-16 |website=Forbes |language=en}}</ref> In 2021, ESET discovered another UEFI malware called ESPecter,<ref>{{Cite web |date=2021-10-05 |title=UEFI threats moving to the ESP: Introducing ESPecter bootkit |url=https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/ |access-date=2022-08-16 |website=WeLiveSecurity |language=en-US}}</ref> which is the second real-world bootkit after [[FinFisher|FinSpy]]<ref>{{Cite web |title=FinSpy: unseen findings |url=https://securelist.com/finspy-unseen-findings/104322/ |access-date=2022-08-16 |website=securelist.com|date=28 September 2021 }}</ref> known to persist on the [[EFI system partition|EFI System Partition]] in the form of a patched Windows Boot Manager.

In 2021, ESET released the white paper ''Anatomy of native IIS malware'',<ref>{{Cite web |title=Anatomy Of Native Iis Malware |url=https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf }}</ref> which analyzed over 80 unique samples of malicious native extensions for Internet Information Services (IIS) web server software used in the wild and categorized these into 14 malware families — 10 of which were previously undocumented.

Among these families, IIS malware demonstrated five main modes of operation:

* IIS backdoors, which can remotely control compromised computers;
* IIS infostealers, which steal information such as login credentials and payment information;
* IIS injectors, which modify [[Hypertext Transfer Protocol|HTTP]] responses sent to legitimate visitors to serve malicious content;
* IIS proxies, which use the compromised server as unwitting parts of the [[Botnet#Command and control|command and control]] infrastructure for another malware family; and
* SEO fraud IIS malware, which modifies the content served to [[search engine]]s.

ESET also works alongside experts from competitors and police organizations all over the world to investigate attacks. In 2018, ESET partnered with the [[European Cybercrime Centre]] — a specialist [[Europol]] team that investigates [[cybercrime]] — as a member of its Advisory Group on Internet Security.<ref>{{Cite web |last=ESET |title=ESET, the leading endpoint IT security company based in the European Union, is now a member of Europol's Advisory Group on Internet Security [Press release] |url=https://www.eset.com/int/about/newsroom/press-releases/company/european-unions-leading-it-security-company-eset-joins-europols-advisory-group-on-internet-securit-1/ |access-date=18 July 2018}}</ref><ref>{{Cite web |title=EC3 Partners |url=https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3/ec3-partners |access-date=2022-08-16 |website=Europol |language=en}}</ref> ESET partnered with law enforcement agencies worldwide and [[Microsoft]] to target the [[Dorkbot (malware)|Dorkbot]] [[botnet]] in 2015<ref>{{Cite web |title=EUROPOL WORKS WITH INTERNATIONAL PARTNERS TO TARGET DORKBOT BOTNET |url=https://www.europol.europa.eu/media-press/newsroom/news/europol-works-international-partners-to-target-dorkbot-botnet |access-date=2022-08-16 |website=Europol |language=en}}</ref> and the Gamarue (aka Andromeda) botnet in 2017.<ref>{{Cite web |title=World Police Shut Down Andromeda (Gamarue) Botnet |url=https://www.bleepingcomputer.com/news/security/world-police-shut-down-andromeda-gamarue-botnet/ |access-date=2022-08-16 |website=BleepingComputer |language=en-us}}</ref> Then in 2020, ESET partnered with [[Microsoft]], Lumen's Black Lotus Labs, and NTT Ltd. in an attempt to disrupt [[Trickbot]], another [[botnet]].<ref>{{Cite web |title=Microsoft and others orchestrate takedown of TrickBot botnet |url=https://www.zdnet.com/article/microsoft-and-other-tech-companies-orchestrate-takedown-of-trickbot-botnet/ |access-date=2022-08-16 |website=ZDNet |language=en}}</ref>