Hackers breach Israel ESET partner and impersonate cyber firm ESET to target Israel companies

Hackers have apparently breached the email server of Comsecure, ESET’s official partner in Israel, to launch a phishing campaign targeting Israeli businesses. The attackers used ESET branding and the legitimate email domain eset.co.il to distribute data-wiping malware disguised as an antivirus tool named "ESET Unleashed."

The emails, purporting to be from ESET's "Advanced Threat Defense Team," claimed that recipients were being targeted by state-sponsored attackers. The emails offered "ESET Unleashed," a supposed advanced security tool, to protect against the threats.

The phishing emails originated from ESET’s authorized Israeli email server, passing SPF, DKIM, and DMARC checks, making them appear authentic.

The malicious ZIP archive, hosted on eset.co.il, contained DLL files signed with ESET's legitimate code-signing certificate and a setup executable (setup.exe). The DLLs were authentic ESET files, while setup.exe was the data wiper, designed to delete files and corrupt data partitions.

The data wiper could not execute in virtual environments but was successfully triggered on physical PCs, reaching out to a legitimate Israeli website (www.oref.org.il) during its execution. It used methods associated with the Yanluowang ransomware group to evade detection.

ESET confirmed the breach of its partner's email infrastructure but denied any compromise of its core systems. The company stated that the campaign was blocked within ten minutes of detection and that customer systems were not affected. ESET is working closely with Comsecure to investigate further and monitor the situation.

The attack’s origin remains unconfirmed, but the tactics resemble those used by pro-Palestinian groups like "Handala," which has previously targeted Israel with data wipers.