Suspected Russian threat actors are targeting Eastern European users of the cryptocurrency industry to install information-stealing malware on compromised hosts, baiting bogus job opportunities.
In a report this week, Trend Micro researchers Aliakbar Zahravi and Peter Girnus wrote that attackers “infected cryptocurrency industry players with Enigma stealer using a highly obfuscated custom loader under development. I’m letting it go,” he said.
Enigma is said to be a modified version of Stealerium, an open-source C#-based malware that functions as a stealer, clipper, and keylogger.
A complex infection journey begins with malicious RAR archive files distributed via phishing and social media platforms. It contains two of his documents, one of which is a .TXT file containing a series of sample interview questions related to cryptocurrencies.
The second file is a Microsoft Word document that acts as a decoy and is responsible for launching the first stage Enigma loader. The first-stage Enigma loader then downloads and executes the obfuscated second-stage payload via Telegram.
“To download the next stage payload, the malware first sends a request to an attacker-controlled Telegram channel. […] “This approach allows attackers to continuously update and eliminate reliance on fixed filenames,” said the researchers.
A second-stage downloader, running with elevated privileges, disables Microsoft Defender and loads a legitimately signed kernel-mode Intel driver vulnerable to CVE-2015-2291 in a technique called Bring Your Own Vulnerable. It is designed to install the third stage by unrolling. Driver (BYOVD).
It is worth noting that the US Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to their Known Exploited Vulnerabilities (KEV) catalog, citing evidence of its exploitation in the wild.
The third stage payload finally paves the way for downloading the Enigma Stealer from an actor-controlled Telegram channel. This malware, like other stealers, has the ability to collect sensitive information, record keystrokes, and capture screenshots, all of which are stolen by Telegram.
Fake job offers are a tried and tested tactic employed by North Korea-backed Lazarus Group in attacks targeting the cryptocurrency sector. The adoption of this modus operandi by Russian threat actors “represents a persistent and profitable attack vector.”
The findings came as Uptycs released details of an attack campaign that leverages the Stealerium malware to siphon personal data. This includes cryptocurrency wallet credentials such as Armory, Atomic Wallet, Coinomi, Electrum, Exodus, Guarda, Jaxx Liberty, Zcash.
In addition to Enigma Stealer and Stealerium, another malware called Vector Stealer targets cryptocurrency wallets. The malware also has the ability to steal .RDP files, allowing attackers to hijack his RDP for remote access, Cyble said in a technical article. increase.
Attack chains documented by cybersecurity firms show malware families being distributed via Microsoft Office attachments containing malicious macros, despite Microsoft’s efforts to close the loopholes. suggesting that malicious actors still rely on this method.
According to Fortinet FortiGuard Labs, similar methods have also been used to deploy the Monero cryptominer in the context of cryptojacking and phishing campaigns targeting users in Spain.
The development is also the latest in a long list of attacks aimed at stealing victims’ cryptocurrency assets across platforms.
It consists of a “rapidly evolving” Android banking Trojan dubbed TgToxic that loots credentials and funds from cryptocurrency wallets as well as banking and financial apps. An ongoing malware campaign since July 2022 targets mobile his users in Taiwan, Thailand and Indonesia.
“When a victim downloads a fake app from a website provided by the threat actor or attempts to send a direct message to the threat actor via a messaging app such as WhatsApp or Viber, cybercriminals can It tricks you into registering, installs malware, and enables the necessary permissions,” Trend Micro said.
Rogue apps are not only known to abuse Android’s accessibility services to perform fraudulent money transfers, but also to abuse legitimate automation frameworks such as Easyclick and Auto.js to perform clicks and gestures. , making it the second Android malware to incorporate such a workflow IDE, after PixPirate. .
However, social engineering campaigns can also be used as social media phishing and scams by setting up compelling landing pages mimicking popular crypto services with the goal of transferring Ethereum and NFTs from hacked wallets. Beyond Missing.
According to Recorded Future, this is accomplished by injecting cryptocurrency exfiltration scripts into phishing pages. The script lures victims into connecting their wallets with lucrative offers that issue non-fungible tokens (NFTs).
These ready-made phishing pages are sold on darknet forums as part of what is called Phishing as a Service (PhaaS), where other attackers rent out these packages to perform malicious operations at scale. It’s ready to run quickly.
“The ‘Crypto Drain’ is a malicious script that acts like an e-skimmer and is deployed using phishing techniques to steal a victim’s crypto assets,” the company said in a report published last week. It explains that the scam is effective and growing in popularity.
“The use of legitimate services in a crypto drain phishing page can increase the likelihood that the phishing page will pass the “scam litmus test” of an otherwise savvy user. Once a crypto wallet is compromised, there are no safeguards to prevent unauthorized transfers of assets to an attacker’s wallet. “
The attacks came as criminal groups stole a record-breaking $3.8 billion from cryptocurrency businesses in 2022, with much of the surge coming from North Korean government-backed hacking crews.
