silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,154
ESET has identified two samples of the Exaramel backdoor, along with various other tools used by the attackers. Some of these tools have been seen in previous attacks launched by TeleBots, including a modified version of Mimikatz and a custom password stealer named CredRaptor. During incident response, ESET also uncovered a Linux backdoor, which the company tracks as Linux/Exaramel.A.
“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely,” ESET said in a blog post published on Thursday.