virtually Enigma info-stealing malware targets the cryptocurrency industrySecurity Affairs will cowl the most recent and most present help simply concerning the world. gate slowly therefore you comprehend skillfully and appropriately. will enhance your data adroitly and reliably
Suspected Russian risk actors have been focusing on cryptocurrency customers in Jap Europe with the Enigma data-stealing malware.
A malware marketing campaign by alleged Russian risk actors has focused Jap European customers within the crypto business. Attackers are sending emails with bogus job alternatives as bait in an try to trick victims into putting in Enigma data-stealing malware.
The attackers used a number of extremely obfuscated and in-development customized loaders to ship the Enigma thief.
The attacker additionally exploits the CVE-2015-2291 failure in an Intel driver to carry out BYOVD assaults and cut back Microsoft Defender token integrity.
Enigma is a modified model of Stealerium info-stealer, which is an open supply C#-based malware that additionally helps clipper and keylogger capabilities.
The assault chain begins with phishing emails or social media messages distributing a RAR file. The archive comprises two information, Interview Questions.txt and Interview Circumstances.phrase.exe. The information increase an interview for a faux cryptocurrency position or job supply.
“One file, Interview Questions.txt, contains sample interview questions written in Cyrillic. This serves to further legitimize the package in the eyes of the victim and divert attention from the malicious binary.” read the analysis published by Trend Micro. “The other file Interview conditions.word.exe contains the first stage Enigma loader. This file, which also masquerades as a legitimate Word document, is designed to lure unsuspecting victims into running the loader. Once executed, the Enigma loader begins recording and downloading the second stage payload.”
Experts observed the Enigma thief using two servers in his operation. The former uses Telegram to deliver payloads, send commands, and receive the payload heartbeat. The second server (193[.]56[.]146[.]29) is used for DevOps and logging purposes. The malicious payload sends its execution log to the logging server.
Opening the Microsoft Word document launches the first-stage Enigma loader which, in turn, downloads and executes a secondary-stage obfuscated payload via Telegram.
“To download the next stage payload, the malware first sends a request to the attacker-controlled Telegram channel https://api[.]telegram[.]org/bottoken/getFile to get file_path. This approach allows the attacker to continually update and removes the reliance on fixed filenames.” report continues.
Second stage malware, UpdateTask.dll, is a dynamic link library (DLL) written in C++ that includes two export functions, DllEntryPoint and Entry. This payload disables Microsoft Defender via the BYOVD technique by exploiting the CVE-2015-2291 flaw. The malware then downloads and executes the third stage payload, which in turn downloads the Enigma Stealer.
The Enigma Thief allows you to collect sensitive information, record keystrokes and capture screenshots. The stolen data is leaked through Telegram. The malware can target various web browsers and apps like Google Chrome, Microsoft Edge, Microsoft Outlook, Telegram, Signal, OpenVPN, and others.
Follow me on twitter: @safetyissues and Fb and Mastodon
Pierluigi Paganini
(Safety Points – hacking, Enigma)
share on
I hope the article about Enigma info-stealing malware targets the cryptocurrency industrySecurity Affairs provides acuteness to you and is beneficial for including as much as your data
Enigma info-stealing malware targets the cryptocurrency industrySecurity Affairs
