ESET has launched an investigation after the systems of its official product distributor in Israel were abused to send out emails delivering wiper malware.
The targeted users received an email — signed by ESET’s Advanced Threat Defense (ATD) team — informing them about government-backed attackers trying to compromise their devices.
Researcher Kevin Beaumont has analyzed the attack and determined that the email passed DKIM and SPF checks, and it included a link to the ESET Israel store. In addition, ESET ATD is a real unit of the cybersecurity firm.
However, the link pointed to a ZIP file containing some ESET DLLs and an executable named ‘setup.exe’ designed to deploy a wiper malware on the victim’s system.
While reports of the malicious emails impersonating ESET have been circulating since at least October 9, ESET apparently only issued a response late last week.
“We are aware of a security incident which affected our partner company in Israel last week,” ESET said. “Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure. ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation.”
A company called Comsecure appears to be the exclusive ESET product distributor in Israel and the targets appear to have been Israeli users. At least one organization in Israel was reportedly hit by the wiper.
Beaumont has found some ties between this attack and two Iran-linked threat groups known for anti-Israel attacks: one named Handala, which according to the researcher has been defacing websites and allegedly exfiltrating data; and CyberToufan, which has been wiping systems.