Alleged Russian hackers use the Enigma infostealer to target Europeans with fake cryptocurrency job offers. Based on reports, the threat actors use a set of obfuscated loaders that leverage an Intel driver bug to load a compromised driver. This technique reduces the token integrity of MS Defender to avoid security detections.
The infection starts with a phishing message commonly disseminated through social media platforms. Moreover, these phishing attempts include an infected RAR file attachment that consists of a text file and an executable.
The text contains sample interview questions coded in Cyrillic. It convinces the target about a phone crypto job or role opening interview and pretends to be preparing the target for the interview.
The executable within the phishing messages also impersonates a legitimate Word document that contains the first stage Enigma loader. The threat actors designed this bait to lure victims into initiating the loader. The registration and downloading of the second-phase payload start once a target commences the loader.
The Enigma infostealer is a modified version of a previously known malware.
According to investigations, the Enigma infostealer is a modified variant of Stealerium. The malware is written in C++ and utilises string encryption, API hashing, and irrelevant code to bypass detections.
Additionally, Enigma has multi-stage payloads such as EngimaDownloader_s001, EngimaDownloader_s002, and EngimaDownloader_s003.
These three payloads abuse the Intel driver flaw to load a compromised driver that updates the integrity level of the Microsoft defender and mandatorily reduces it from system to untrusted integrity.
The last phase of the operation is the deployment of the Enigma Stealer, which initialises configuration on execution and prepares its working directory.
Enigma could harvest system data upon successful intrusion and steal user information, credentials from browsers, and tokens.
Lastly, the infostealer could capture screenshots and collect clipboard content and VPN configurations from the infected device. Subsequently, it compresses the gathered information and sends it to an attacker-controlled Telegram account.
Cybersecurity experts explained that the Enigma infostealer is in the development stage, but its operators are already using them for highly evasive techniques.
Users should update their security solutions and be wary of social media posts and phishing attempts that offer suspicious opportunities.
