silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,174
A campaign operated by Russian threat actors uses fake job offers to target Eastern Europeans working in the cryptocurrency industry, aiming to infect them with a modified version of the Stealerium malware named 'Enigma.'
According to Trend Micro, which has been tracking the malicious activity, the threat actors use a set of heavily obfuscated loaders that exploits an old Intel driver flaw to reduce the token integrity of Microsoft Defender and bypass protections.
The attacks start with an email pretending to be a job offer with fake cryptocurrency interviews to lure their targets. The emails have a RAR archive attachment which contains a TXT ("interview questions.txt") and an executable ("interview conditions.word.exe"). The text file contains interview questions written in Cyrillic, which follow a standard format and are made to appear legitimate.
If the victim is tricked into launching the executable, a chain of payloads is executed that eventually downloads the Enigma information-stealing malware from Telegram.
Attack chain diagram (Trend Micro)
Hackers use fake crypto job offers to push info-stealing malware
A campaign operated by Russian threat actors uses fake job offers to target Eastern Europeans working in the cryptocurrency industry, aiming to infect them with a modified version of the Stealerium malware named 'Enigma.'
