The Rising Risks of Cryptocurrency Use: Exploring Enigma, Vector, and TgToxic
Suspected Russian threat actors have been targeting Eastern European users in the cryptocurrency industry with fake job opportunities as bait to install information-stealing malware on compromised hosts. According to Trend Micro researchers Aliakbar Zahravi and Peter Girnus, the attackers are using a highly obfuscated and under-development custom loader to infect users with Enigma Stealer, an altered version of Stealerium, an open source C#-based malware that acts as a stealer, clipper, and keylogger.
The Process
The intricate infection journey starts with a rogue RAR archive file that’s distributed via phishing or social media platforms, containing two documents. The first is a .TXT file that includes a set of sample interview questions related to cryptocurrency, while the second is a Microsoft Word document that serves as a decoy and is tasked with launching the first-stage Enigma loader. This loader downloads and executes an obfuscated secondary-stage payload through Telegram, which is then used to deploy a legitimately signed kernel mode Intel driver that’s vulnerable to CVE-2015-2291. This ultimately paves the way for downloading Enigma Stealer from an attacker-controlled Telegram channel.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Once Enigma Stealer is installed, it harvests sensitive information, records keystrokes, and captures screenshots, all of which is exfiltrated back by means of Telegram.
The adoption of this modus operandi by Russian threat actors “demonstrates a persistent and lucrative attack vector,” according to Trend Micro. Joining Enigma Stealer and Stealerium in targeting cryptocurrency wallets is yet another malware dubbed Vector Stealer, which comes with capabilities to steal .RDP files, enabling the threat actors to carry out RDP hijacking for remote access.
In addition, Uptycs released details of an attack campaign that leverages the Stealerium malware to siphon personal data from cryptocurrency wallets, while Fortinet FortiGuard Labs discovered a cryptojacking and phishing campaign aimed at Spanish users, delivered through Microsoft Office attachments containing malicious macros.
The development is also the latest in a long list of attacks that are aimed at stealing victims’ cryptocurrency assets across platforms. This includes TgToxic, an Android banking trojan that plunders credentials and funds from crypto wallets as well as bank and finance apps, and social engineering campaigns that have set up convincing landing pages that imitate popular crypto services with the goal of transferring Ethereum and NFTs from hacked wallets.
A Lucrative industry
These scams are effective and growing in popularity, with ready-made phishing pages being sold on darknet forums as part of what’s called a phishing-as-a-service (PhaaS) scheme. Furthermore, Recorded Future has documented ‘crypto drainers’ – malicious scripts that function like e-skimmers and are deployed with phishing techniques to steal victims’ crypto assets.
The attacks come at a time when criminal groups have stolen a record-breaking $3.8 billion from crypto businesses in 2022, with much of the spike attributed to North Korean state-sponsored hacking crews.