Experts warn that hackers have once again used the classic “fake crypto work” scam to distribute dangerous malware.
However, instead of the usual North Korean group Lazarus, this time the Russians are trying to take advantage of gullible crypto workers. Trend Micro cybersecurity researchers recently spotted unnamed Russian cybercriminals targeting cryptocurrency workers in Eastern Europe.
They sent emails inviting victims to consider a new job offer at a crypto company. The email contained two attachments, one seemingly innocuous .txt file (titled “Interview Questions”) and one clearly malicious (titled “Interview Terms.word.exe”).
Bring your own sensitive driver
The attack consists of three steps: if the victim runs the executable, he downloads a second payload that exploits a vulnerability in the Intel driver tracked as CVE-2015-2291. This method, commonly called “Bring Your Own Vulnerable Driver”, allows cybercriminals to execute commands with kernel privileges and use this capability to disable antivirus protection.
After disabling the antivirus, they trigger the download of a third payload, which is a variant of the Stealerium malware called Enigma.
Malware that is downloaded from a private Telegram channel is capable of extracting system information, browser tokens, stored passwords (targets virtually all popular browsers today, including Chrome, Edge, Opera, etc.), data stored in Outlook programs, Telegram, Signal, OpenVPN and more. Moreover, Enigma can capture screenshots and extract clipboard contents.
When it gets what it wants, Enigma packs it all in a Data.zip archive and sends it back via Telegram.
While fake job offers are usually something Lazarus Group does, Trend Micro believes that this time the group has Russian roots. Apparently, one of the login servers hosts the Amadey C2 panel, which is very popular with Russian cybercriminals. Moreover, the server runs “Deniska”, a variant of Linux used almost exclusively by Russians – and the server’s default time zone is also set to Moscow.
By: Beeping Computer (opens in a new tab)