A marketing campaign operated by Russian risk actors makes use of pretend job provides to focus on Eastern Europeans working within the cryptocurrency business, aiming to contaminate them with a modified model of the Stealerium malware named ‘Enigma.’
According to Trend Micro, which has been monitoring the malicious exercise, the risk actors use a set of closely obfuscated loaders that exploits an previous Intel driver flaw to cut back the token integrity of Microsoft Defender and bypass protections.
Targeting victims
The assaults begin with an e mail pretending to be a job provide with pretend cryptocurrency interviews to lure their targets. The emails have a RAR archive attachment which accommodates a TXT (“interview questions.txt”) and an executable (“interview situations.phrase.exe”).
The textual content file accommodates interview questions written in Cyrillic, which comply with a typical format and are made to seem respectable.
If the sufferer is tricked into launching the executable, a sequence of payloads is executed that finally downloads the Enigma information-stealing malware from Telegram.
The first-stage downloader is a C++ software that makes use of strategies like API hashing, string encryption, and irrelevant code to evade detection whereas downloading and launching the second-stage payload, “UpdateTask.dll.”
The second-stage payload, additionally written in C++, makes use of the “Bring Your personal Vulnerable Driver” (BYOVD) method to use the CVE-2015-2291 Intel vulnerability. This Intel driver flaw permits instructions to be executed with Kernel privileges.
The risk actors abuse this vulnerability to disable Microsoft Defender earlier than the malware downloads the third payload.
The third-stage downloads the ultimate payload, Enigma Stealer, from a personal Telegram channel, which Trend Micro says is a modified model of Stealerium, an open-source information-stealing malware.
Enigma targets system data, tokens, and passwords saved in internet browsers like Google Chrome, Microsoft Edge, Opera, and extra. Additionally, it targets information saved in Microsoft Outlook, Telegram, Signal, OpenVPN, and different apps.
Enigma also can seize screenshots from the compromised system and extract clipboard content material or VPN configurations.
Finally, all stolen information is compressed in a ZIP archive (“Data.zip”) and despatched again to the risk actors through Telegram.
Some of Enigma’s strings, equivalent to internet browser paths and Geolocation API providers URLs, are encrypted with the AES algorithm in cipher-block chaining (CBC) mode, more likely to conceal the information and stop unauthorized entry or tampering.
Attribution
Trend Micro has not assigned attribution with sturdy confidence however found a number of parts that will point out a Russian risk actor is behind the assaults.
The first clue is that one of many logging servers used on this marketing campaign to trace the execution circulate of energetic infections hosts an Amadey C2 panel, which is kind of widespread in Russian cybercrime boards.
Second, the server runs “Deniska,” a special-purpose Linux system solely referenced in Russian-speaking boards.
Finally, the server’s default time zone is about to Moscow, one other indicator that the risk actors are Russian.
It is extra widespread to see North Korean risk actors function campaigns selling pretend job provides focusing on individuals working within the fin-tech business. So, seeing Russians adopting this theme is an fascinating improvement.