Posted on February 6, 2023 at 8:27 PM
Russian threat actors launch malware campaigns using the Enigma info-stealing malware
Russian hacking groups have used fake job promotions to run malicious campaigns in Eastern Europe. The campaign targets those in the cryptocurrency sector, with the hackers seeking to inject information-stealing malware into their devices. The malware is a version of the Stealerium malware known as Enigma.
Hackers deploy info-stealing malware using fake crypto job offers
A report by Trend Micro detailed the operations of these hackers. Trend Micro has been closely analyzing the malicious activity being done by this threat actor group. According to the company, the hackers have been using a set of obfuscated loaders exploiting an old Intel driver flaw.
By conducting this exploit, the hackers managed to lower the token integrity of Microsoft Defender. They also bypassed all the security measures integrated into the target’s device.
These malicious campaigns commence with an email that pretends to be a job offer from a cryptocurrency company. The applicants are also lured using fake cryptocurrency interviews. However, the emails sent to the targets contain a RAR archive attachment as part of the job application process. The attachment has a TXT (interview questions.txt) and an executable function (interview conditions.word.exe).
The text file also comes with interview questions published in Cyrillic. These interview questions have a standard format, and they also appear to be legitimate. The hackers have used a sophisticated strategy to guarantee that the targets will not be suspicious of the activity as everything about the job and the interview appears authentic.
However, after the victim launches the executable, it will deploy a chain of payloads that will be executed into the device. These payloads will layer download the Enigma malware from Telegram, which will be used to steal information from the target’s device.
During the first stage of this malware’s deployment, the downloader was published using the C++ language. The tool uses various techniques, such as API hashing, string encryption, and irrelevant code. These tools ensure that the hackers can avoid detection when they download or launch the second-stage payload dubbed “UpdateTask.dll.”
The second-stage payload has also been published in the C++ programming language. This payload uses a “Bring Your Own Vulnerable Driver (BYOVD) technique to exploit the flaw tracked as CVE-2015-2291. The Intel driver vulnerability will execute a command on the target using Kernel privileges.
This flaw is very popular with threat actors. It is commonly used by hackers that want to disable the Microsoft defender. Once disabled, the threat actors will later download the third payload to ensure they can bypass the security systems.
The third-stage payload is used to download the final payload, which is the Enigma info-stealing malware. The malware is downloaded from a private Telegram channel, which, according to Trend Micro, is a modified version of another malware used for the same purpose, known as Stealerium.
The Enigma info-stealing malware is used to access various information, including system details, tokens, and passwords, on Web browsers such as Google Chrome, Opera, and Microsoft Edge. Moreover, the malware stored can also access the data stored on other apps such as Telegram, Signal, Microsoft Outlook, and OpenVPN, among others.
This malware supports many other functions, such as capturing screenshots from the affected system and extracting clipboard content or VPN configurations. After the hackers have stolen the data, it is compressed in a single ZIP archive named Data.zip before being sent to the threat actors using Telegram.
Some of the strings of the Enigma malware, including the Web browser paths and the Geolocation API services URLs, are encrypted using the AES algorithm within the cipher-block chaining mode. Encryption is done to hide the data and to ensure that the hackers will not have access and that the data will not be tampered with.
Malware deployment attributed to Russian threat actors
Trend Micro has not attributed this malware to any threat actor group. However, there are signs that Russian threat actors might have done the campaign. One of these signs is that the logging servers used during the campaign to track the execution flow of the victims use an Amadey C2 panel that is popular with cybercrime groups in Russia.
The second sign is that the server uses “Deniska,” a special-purpose Linux system only used in Russian-speaking forums. The default time zone has been set to Moscow, which indicates that the threat actors are of Russian origin.
On the other hand, North Korean threat actors are known to run campaigns that promote fake job offers targeting the fintech industry.