EnigmaSpark

EnigmaSpark Description

The EnigmaSpark threat is malware that originates from the Middle East. It would appear that its creators are targeting individuals and entities who have shown support or at least interest in the potential peace plan between Palestine and Israel. The attackers appear to oppose the proposed peace plan and have tried to further their cause by launching the EnigmaSpark campaign. After analyzing the EnigmaSpark threat and the circumstances surrounding the campaign, cybersecurity experts reached the conclusion that the Molerats hacking group is likely responsible for the attack. The Molerats group operates in the Middle East and has been active for several years. They tend to carry out politically motivated attacks regarding events and policies concerning the Middle East.

Propagates Via Phishing Emails

The EnigmaSpark malware is based on the legitimate Enigma Protector application. However, the creators of the EnigmaSpark malware have altered the genuine tool and weaponized it to fit their needs. The EnigmaSpark malware is being propagated via carefully crafted phishing emails. The emails in question would contain a fake message whose goal is to convince the recipients to launch the attached file. At first glance, the attachment seems to be a Microsoft Word file called 'a.docx.' The note is in Arabic, but it displays a button in English, which urges users to 'enable editing.' Opening the corrupted document file would download a template for Microsoft Word.

Compromising the Target

The threat would establish a connection with the attackers' C&C (Command & Control) server. The EnigmaSpark malware will collect data regarding the compromised system, encrypt it, and then transfer it to its operators' C&C server. The next payload is deployed with the help of an AutoIT dropper that is initialized via the malicious macro script. Upon execution, the AutoIT script drops the payload C:\users%USERNAME% under the name 'runawy.exe.' It gains persistence by accomplishing two simple steps:
A copy of the payload is dropped in the Windows 'Startup' folder.
A new scheduled task is created that commands Windows to execute the aforementioned 'runawy.exe' file whenever Windows boots up.

Collects System Information

The EnigmaSpark would use the 'Blaster.exe' payload to obtain information about the compromised device. The EnigmaSpark is able to find out whether there is an anti-malware application running on the infected system. The threat can also collect data regarding any firewall software that may be present on the PC. Furthermore, the attackers are able to obtain information about the processor of the compromised computer, as well as the host and username of the target. The EnigmaSpark malware would peak into the keyboard settings of the user to make sure that the default set language is Arabic. If the default language of the system is not Arabic, the EnigmaSpark malware will halt the operation. All the collected data is encrypted with the help of the AES encryption algorithm. The attackers also make sure to encode the data using Base64. After completing these tasks, the threat will transfer the data to the attackers' C&C server. The 'Blaster.exe' file is also able to receive encrypted commands from the C&C of its operators. After decrypting the commands, the 'Blaster.exe' file will execute them.

The EnigmaSpark operation is a long and complex campaign that includes multiple payloads. To sum it up, at the end of the attack, the compromised system is likely to have up to three unique payloads running on it:
'runawy.exe' - has the ability to execute remote commands and then transfer the output to a remote host.
'Blaster.exe' - possesses the same abilities as 'runawy.exe' but also makes an effort to gather hardware and software information about the infected host (antivirus, OS version, Windows configuration, processor maker and model, and more).'REG.exe' - a downloader that can be used to fetch additional payloads. At the time this report was posted, the 'REG.exe' download has been observed to download a bogus 'Soundcloud.exe' app that appears to share a lot of similarities with the 'Blaster.exe' payload.

This is not a threat that one can underestimate; the EnigmaSpark malware is capable of causing a lot of trouble to many users in the Middle East. Users need to be very careful when they open emails from unknown sources, as many cybercriminals use phishing emails as a preferred infection vector.