Cybercriminals spread malware through fake job proposals

A campaign run by Russian threat actors focuses on sending fraudulent emails that integrate ‘malware’ with alleged job offers and target professionals in the cryptocurrency industry.

Trend Micro researchers have analyzed the activity of this group of cybercriminals, who have managed to infect several computers with a modified version of the Stealerium malware called Enigma.

Stealerium is an information stealer built on the C# programming language that sends logs of stolen information to a server controlled by the threat actors themselves. In addition to getting hold of this type of information, you can take screenshots and even record keystrokes.

In this case, Enigma has used fake job offers and interviews targeting Eastern European cryptocurrency professionals with an infection chain that starts with a malicious RAR file distributed via social media and email.

The file received by the victims contains two documents: one in which the interview questions are named (document in .txt format) and another in which the conditions of the employment position are presumably included (.word.exe).

The interview file contains questions in Cyrillic, the writing system used to legitimize the fraudulent document. On the other hand, the vacancy conditions file contains the first load of Enigma malware. Its goal is to download and unzip malicious software, which is installed on the device in various parts or payloads.

Cybercriminals steal user data

 

According to the Trend Micro study, Enigma uses two servers. The first uses the Telegram application, through a channel controlled by the attacker, to deliver payloads and send commands. The second one is used for DevOps and to complete the registration of the malicious payload, whose main objective is to disable the Microsoft Defender security system, by deploying a malicious Intel kernel mode driver and exploiting a vulnerability in it, identified as CVE-2015. -2291.

This driver gap allows commands to be executed with kernel privileges, so threat actors are able to disable Microsoft Defender before the malicious software downloads and runs the third payload.

Once integrated into the infected device’s system, Enigma collects and steals system and user information, including passwords for various web browsers and applications such as Google Chrome, Microsoft Edge, Signal, Telegram, OpenVPN, and Microsoft Outlook, among others. others.

Once this data is collected, it is filtered and compressed into a ZIP file to be sent to the threat actor itself through the Telegram messaging application. These movements are registered in DevOps to continue developing, profiling and improving the performance of the ‘malware’.

Source: dpa

(Reference image source: Ed Hardie, Unsplash)

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on Twitter and Instagram