Hackers have been found once again using the classic “fake crypto job” scam to distribute dangerous malware, experts have warned.
However, instead of the usual North Korean Lazarus Group, this time it’s the Russians trying to take advantage of gullible crypto workers. Cybersecurity researchers from Trend Micro recently observed unnamed Russian threat actors targeting workers in the cryptocurrency industry, located in Eastern Europe.
They would send out emails, inviting the victims to consider a new job offer at a crypto firm. The email would carry two attachments, one seemingly benign.txt file (titled “Interview Questions”) and one malicious (titled “Interview Conditions.word.exe”).
Bring your vulnerable driver
The attack is a three-step campaign: If the victim runs the executable, it
downloads a second payload that abuses a vulnerability in an Intel driver, tracked as CVE-2015-2291. This method, commonly referred to as “bring your vulnerable driver,” allows threat actors to execute commands with kernel privileges, and they use this ability to disable antivirus protection.
Once the antivirus is disabled, they trigger the download of the third payload, which is a variant of the Stealerium malware named Enigma.
The malware, which gets pulled from a private Telegram channel, is capable of extracting system information, browser tokens, stored passwords (it targets virtually all popular browsers nowadays, including Chrome, Edge, Opera, etc.), data stored in Outlook, Telegram, Signal, OpenVPN, and more. What’s more, Enigma can grab screenshots and extract clipboard content.
When it gets what it wants, Enigma zips it all up in a Data.zip archive and sends it back via Telegram.
While fake job offers are usually something Lazarus Group does, Trend Micro believes that this time around, the group is of Russian origin. One of the logging servers hosts an Amadey C2 panel, which is largely popular among Russian cybercriminals. Furthermore, the server runs “Deniska,” a Linux variant used almost exclusively by Russians, and the server’s default time zone is also set to Moscow.