Russian threat actors have devised a campaign that targets Eastern Europeans working in the cryptocurrency industry. By using fake job offers, they aim to infect their victims with a previously unknown malware tracked as Enigma Stealer. The threatening operation relies on an intricate set of heavily obfuscated loaders that exploit a vulnerability in an old Intel driver. This technique is used to reduce the token integrity of Microsoft Defender and consequently bypass its security measures.
All of these tactics are used to gain access to confidential data and compromise victims' machines. Details about the Enigma Stealer and the infrastructure of the attack campaign were revealed in a report by security researchers. According to their findings, Enigma is a modified version of the open-source malware Stealerium.
Enigma Stealer's Complex Infection Chain
The threat actors behind the Enigma Stealer are using an ill-minded email to attack their victims. The emails pretending to offer job opportunities include an attached RAR archive containing a .TXT file with interview questions written in Cyrillic, as well as an executable called 'interview conditions.word.exe.' If the victim is induced into launching the executable, a multi-stage chain of payloads is executed, which eventually downloads the Enigma information-collecting malware from Telegram.
The first-stage payload is a C++ downloader that uses various techniques to evade detection while downloading and launching the second-stage payload, 'UpdateTask.dll.' This second stage exploit leverages the 'Bring Your own Vulnerable Driver' (BYOVD) technique to exploit the CVE-2015-2291 Intel vulnerability, which allows commands to be executed with Kernel privileges. This is then used by the threat actors to disable Microsoft Defender before the malware downloads the third payload.
Enigma Stealer's Threatening Capabilities
The third payload deployed by the threat actors is the Enigma Stealer. It is designed to target system information, tokens, and passwords stored in Web browsers, such as Google Chrome, Microsoft Edge, Opera and more. Furthermore, it also may capture screenshots from the compromised system, extract clipboard content and VPN configurations.
The Enigma Stealer also is capable of targeting data stored in Microsoft Outlook, Telegram, Signal, OpenVPN and other applications. All collected information is compressed into a ZIP archive ('Data.zip'), which is sent back to the threat actors via Telegram. To further conceal its own data and prevent unauthorized access or tampering, some of Enigma's strings, such as Web browser paths and Geolocation API services URLs, are encrypted in Cipher Block Chaining (CBC) mode with the Advanced Encryption Standard (AES) algorithm.