Rewterz Threat Alert – Enigma Stealer Targeting The Cryptocurrency Industry Using Fake Crypto Job Offers – Active IOCs

Severity

High

Analysis Summary

According to recent reports, suspected Russian threat actors have been targeting users in the crypto industry in Eastern Europe with fake job opportunities. The attackers are using these job offers as a lure to trick users into downloading and installing malware onto their systems, which is designed to steal sensitive information such as login credentials and cryptocurrency wallet keys.

Recent reports suggest that alleged Russian threat actors have been using multiple highly obfuscated and under-development custom loaders to deliver the Enigma info-stealing malware. Enigma is a type of malware that is designed to steal sensitive information, including cryptocurrency wallet data, login credentials, and personal information. The use of custom loaders by the attackers makes it more difficult for traditional antivirus and cybersecurity measures to detect and block the malware.

The attackers are also exploiting a known vulnerability in an Intel driver (CVE-2015-2291) to conduct BYOVD (Bring Your Own Vulnerable Device) attacks, which allows them to reduce the token integrity of Microsoft Defender and bypass security measures. 

The attackers are said to be using a rogue RAR archive file that is distributed via phishing or social media platforms. The archive file contains two documents, one of which is a .TXT file that includes a set of sample interview questions related to cryptocurrency.

When the victim opens the .TXT file, it contains a hyperlink that redirects them to a malicious website that downloads the Enigma info-stealing malware. 

“To download the next stage payload, the malware first sends a request to the attacker-controlled Telegram channel https://api[.]telegram[.]org/bot{token}/getFile to obtain the file_path. This approach allows the attacker to continuously update and eliminates reliance on fixed file names.”

UpdatTask.dll, the second-stage malware, is a C++ dynamic-link library (DLL) with two export functions, DllEntryPoint, and Entry. This payload disables Microsoft Defender by exploiting the CVE-2015-2291 flaw using the BYOVD approach. The malware next downloads and runs the third-stage payload, which downloads the Enigma Stealer.

The Enigma stealer is a type of malware that is capable of harvesting sensitive information, recording keystrokes, and capturing screenshots. The stolen data is then exfiltrated through the messaging app Telegram. The malware is designed to target various web browsers and applications, including Google Chrome, Microsoft Edge, Microsoft Outlook, Telegram, Signal, OpenVPN, and others. The Enigma stealer can be used to steal a wide range of sensitive information, including login credentials, financial information, and personal data. 

Similar to recent campaigns, the Fake employment offers method is also used by the North Korean-backed Lazarus Group in its crypto-attacks. Russian threat actors’ use of this tactic demonstrates a continuous and lucrative attack vector.

“Furthermore, this case highlights the evolving nature of modular malware that employ highly obfuscated and evasive techniques along with the utilization of continuous integration and continuous delivery (CI/CD) principles for continuous malware development.” they conclude.

To protect themselves against the recent Enigma malware campaign, organizations should remain vigilant against phishing attacks and educate their employees about the risks of clicking on suspicious links or opening unsolicited email attachments. Individuals should also be cautious of social media posts or phishing attempts that offer job opportunities, especially during times of economic uncertainty.

Impact

• Sensitive Information Theft
• Screenshots Capturing
• Record Keystrokes

Indicators of Compromise

IP

• 193.56.146.29

MD5

• 78d200f3d2bfc9e73725c78a41eb64b5
• 1693d0a858b8ff3b83852c185880e459
• 505e7b77cba9c4a64ac2827d86c68427
• 0bf02d9be8c6fb7cd541e76ee2642936
• 377f617ccd4aa09287d5221d5d8e1228
• ef53ab1014c8d8f73c94db8bbb362df8
• 0ba388cc32c435673651baa284b529e8

SHA-256

• 658725fb5e75ebbcb03bc46d44f048a0f145367eff66c8a1a9dc84eef777a9cc
• 03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23
• b06f938b3823443406c499ff1995722b56e83d0c8b4d9ac646d4d29b4d59082d
• 30bda717bf07aaef3baa922796e930d9936854ed585bd14fc5a2c269d190d02c
• f1623c2f7c00affa3985cf7b9cdf25e39320700fa9d69f9f9426f03054b4b712
• fac28499b3e8de48b7988ec7b1384d034045a19edd53c2c14679047a65c91832
• 3fae681a064b8acdabcef7ed846413577de490918ae064996aeac69e59f2614f

SHA-1

• 4b279136ff69816062a0c5a274688ffa634d0696
• 5f1536f573d9bfef21a4e15273b5a9852d3d81f1
• 7464b2b5bb6b9c5f75466687585615d810277329
• 4869aa1d383316f38cc7d031082b394441b72239
• 288358deaa053b30596100c9841a7d6d1616908d
• b7a50aa57a0d2e759d7214678ae09146a3482952
• c739177a5e98e2b4e7da26d462b4bb223334eb38

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Organizations should remain vigilant against phishing attacks and educate their employees about the risks of clicking on suspicious links or opening unsolicited email attachments.
• Individuals should also be cautious of social media posts or phishing attempts that offer job opportunities, especially during times of economic uncertainty.
• Implement a multilayered defense strategy that includes comprehensive security solutions such as XDR. XDR can detect, scan, and block malicious URLs across the modern threat landscape.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.