Suspected Russian hackers are using an information stealer named Enigma to target Eastern Europeans with fake cryptocurrency job offers. Additionally, the attackers are using a set of heavily obfuscated loaders that exploit an Intel driver vulnerability to load a malicious driver. This reduces the token integrity of Microsoft Defender to bypass protections.

Infection chain

According to Trend Micro, the infection chain initiates with a phishing message or mail that is usually sent through social media.
  • The message or mail comes with a malicious RAR archive attachment that contains a text file and an executable.
  • The text contains sample interview questions written in Cyrillic. It convinces the target about a fake cryptocurrency role or job opening interview and pretends to be helpful with the preparation for this interview.
  • The executable file that masquerades as a legitimate Word document, contains the first stage Enigma loader.
  • It is designed to lure unsuspecting victims into executing the loader, subsequently beginning the registration and downloading the second-stage payload.

Malware functionality

Enigma is a modified version of Stealerium. It is written in C++ and uses API hashing, string encryption, and irrelevant code to avoid being detected.
  • The malware has multi-stage payloads (obfuscated loaders) such as EngimaDownloader_s001, EngimaDownloader_s002, and EngimaDownloader_s003.
  • The first, second, and third-stage payloads exploit an Intel driver vulnerability (CVE-2015-2291) to load a malicious driver that patches the integrity level of the Microsoft defender and forcibly reduces it from system to untrusted integrity.
  • The final stage deploys the Enigma Stealer, which initializes configuration on execution and sets up its working directory.

Malware infrastructure

  • Enigma uses two servers in its operation. The first server utilizes Telegram for delivering payloads, sending commands, and receiving payload updates. The second server is used for DevOps and logging purposes.
  • The payload sends its execution log at each stage to the logging server to improve malware performance.
  • The payload was observed utilizing the Amadey C2 panel for polling and reconnaissance services.

Malware capabilities

  • Enigma collects system information and steals user information, tokens, and passwords from various web browsers and apps such as Google Chrome, Microsoft Edge, Microsoft OpenVPN, Outlook, Signal, and Telegram.
  • It captures screenshots and extracts clipboard content and VPN configurations from the infected device. It compresses the collected information and exfiltrates it to the attacker via Telegram.

Conclusion

Experts discovered that Enigma is under continuous development and the attackers are using highly obfuscated and evasive techniques and CI/CD principles. Individuals are suggested to continuously update their security solutions and remain cautious of social media posts or phishing attempts that offer job opportunities or salary increase-related lures.
Cyware Publisher

Publisher

Cyware