Threat actors, suspected to be from Russia have been targeting Eastern European users in the crypto industry with fake job opportunities as bait to install information-stealing malware on their devices.
Trend Micro researchers Aliakbar Zahravi and Peter Girnus said in a report this week that the attackers “use several highly obfuscated and under-development custom loaders in order to infect those involved in the cryptocurrency industry with Enigma stealer,”
Enigma is said to be an altered version of Stealerium, which is an open source C#-based malware that acts as a stealer, clipper, and keylogger.
Whilst bogus job offers are a tried-and-tested tactic employed by the North Korea-backed Lazarus Group in its attacks targeting the crypto sector. The adoption of this type of attack by Russian threat actors demonstrates a persistent and lucrative attack vector.
Stage 1
The attack begins with a rogue RAR archive file that’s distributed via phishing or via social media platforms. The archive contains two documents, one of which is a .TXT file that includes a set of sample interview questions related to cryptocurrency, the other is a MS Word file.
The Word document is tasked with launching the first-stage Enigma loader, which, in turn, downloads and executes an obfuscated secondary-stage payload through the messaging app Telegram.
The malware sends a request to the attacker-controlled Telegram channel to obtain the file path which allows the attacker to continuously update the malware but also to eliminate any reliance on fixed file names. These actions allow the attackers to keep altering the malware signatures making it harder to detect with traditional anti-malware software.
Stage 2
The second-stage downloader, which is executed with elevated privileges, is designed to disable Microsoft Defender and install a third-stage by deploying a legitimately signed kernel mode Intel driver that’s vulnerable to CVE-2015-2291 in a technique called Bring Your Own Vulnerable Driver (BYOVD).
Stage 3
The third-stage payload paves the way for downloading Enigma Stealer from an actor-controlled Telegram channel. The malware, like other stealers, comes with multiple features to harvest sensitive information, record keystrokes, and capture screenshots, all of which is exfiltrated back by means of the Telegram channel.