Hackers have once again been found using the classic “fake crypto job” scam to spread dangerous malware, experts warn.
However, instead of the usual North Korean Lazarus Group, this time it is the Russians who are trying to take advantage of gullible crypto workers. Trend Micro cybersecurity researchers have recently observed unnamed Russian threat actors targeting cryptocurrency industry workers in Eastern Europe.
They sent emails inviting the victims to consider a new job with a crypto company. The email was said to contain two attachments, an apparently benign .txt file (titled “Interview Questions”) and a clearly malicious one (titled “Interview Conditions.word.exe”).
Bring your own vulnerable driver
The attack is a three-step campaign: When the victim runs the executable, it downloads a second payload that exploits a vulnerability in an Intel driver, tracked as CVE-2015-2291. Also referred to as “Bring Your Own Vulnerable Driver”, this method allows threat actors to execute commands with Kernel privileges, and they use this ability to disable antivirus protection.
Once the antivirus is disabled, they trigger the download of the third payload, a variant of the Stealerium malware, called Enigma.
Extracted from a private Telegram channel, the malware is capable of extracting system information, browser tokens, saved passwords (it targets almost all popular browsers these days, including Chrome, Edge, Opera, etc.), data that is saved in Outlook, Telegram, Signal, OpenVPN and more. In addition, Enigma can take screenshots and extract clipboard contents.
When it gets what it wants, Enigma zips it all up into a Data.zip archive and sends it back via Telegram.
While bogus job offers are usually something Lazarus Group does, Trend Micro believes the group is of Russian origin this time around. Apparently, one of the log servers houses an Amadey C2 panel, largely popular among Russian cybercriminals. In addition, the server runs “Deniska”, a Linux variant used almost exclusively by Russians – and the server’s default time zone is also set to Moscow.
Via: Bleeping Computer (opens in new tab)