Enigma, Vector, and TgToxic: The New Threats to Cryptocurrency Users

Suspected Russian threat actors have been targeting Eastern European users in the crypto industry with fake job opportunities as bait to install information-stealing malware on compromised hosts.

The attackers “use several highly obfuscated and under-development custom loaders in order to infect those involved in the cryptocurrency industry with Enigma stealer,” Trend Micro researchers Aliakbar Zahravi and Peter Girnus said in a report this week.

Enigma is said to be an altered version of Stealerium, an open source C#-based malware that acts as a stealer, clipper, and keylogger.

The intricate infection journey starts with a rogue RAR archive file that’s distributed via phishing or social media platforms. It contains two documents, one of which is a .TXT file that includes a set of sample interview questions related to cryptocurrency.

The second file is a Microsoft Word document that, while serving as a decoy, is tasked with launching the first-stage Enigma loader, which, in turn, downloads and executes an obfuscated secondary-stage payload through Telegram.

“To download the next stage payload, the malware first sends a request to the attacker-controlled Telegram channel […] to obtain the file path,” the researchers said. “This approach allows the attacker to continuously update and eliminates reliance on fixed file names.”

The second-stage downloader, which is executed with elevated privileges, is designed to disable Microsoft Defender and install a third-stage by deploying a legitimately signed kernel mode Intel driver that’s vulnerable to CVE-2015-2291 in a technique called Bring Your Own Vulnerable Driver (BYOVD).

It’s worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The third-stage payload ultimately paves the way for downloading Enigma Stealer from an actor-controlled Telegram channel. The malware, like other stealers, comes with features to harvest sensitive information, record keystrokes, and capture screenshots, all of which is exfiltrated back by means of Telegram.

Bogus job offers are a tried-and-tested tactic employed by North Korea-backed Lazarus Group in its attacks targeting the crypto sector. The adoption of this modus operandi by Russian threat actors “demonstrates a persistent and lucrative attack vector.”

The findings come as Uptycs released details of an attack campaign that leverages the Stealerium malware to siphon personal data, including credentials for cryptocurrency wallets such as Armory, Atomic Wallet, Coinomi, Electrum, Exodus, Guarda, Jaxx Liberty, and Zcash, among others.

Joining Enigma Stealer and Stealerium in targeting cryptocurrency wallets is yet another malware dubbed Vector Stealer that also comes with capabilities to steal .RDP files, enabling the threat actors to carry out RDP hijacking for remote access, Cyble said in a technical write-up.

Attack chains documented by the cybersecurity firms show that the malware families are delivered through Microsoft Office attachments containing malicious macros, suggesting that miscreants are still relying on the method despite Microsoft’s attempts to close the loophole.

A similar method has also been put to use to deploy a Monero crypto miner against the backdrop of a cryptojacking and phishing campaign aimed at Spanish users, according to Fortinet FortiGuard Labs.

The development is also the latest in a long list of attacks that are aimed at stealing victims’ cryptocurrency assets across platforms.

This comprises a “rapidly evolving” Android banking trojan referred to as TgToxic, which plunders credentials and funds from crypto wallets as well as bank and finance apps. The ongoing malware campaign, active since July 2022, is directed against mobile users in Taiwan, Thailand, and Indonesia.

“When the victim downloads the fake app from the website given by the threat actor, or if victim tries to send a direct message to the threat actor through messaging apps such as WhatsApp or Viber, the cybercriminal deceives the user into registering, installing the malware, and enabling the permissions it needs,” Trend Micro said.

The rogue apps, besides abusing Android’s accessibility services to carry out the unauthorized fund transfers, is also notable for taking advantage of legitimate automation frameworks like Easyclick and Auto.js to perform clicks and gestures, making it the second Android malware after PixPirate to incorporate such workflow IDEs.

But social engineering campaigns have also gone beyond social media phishing and smishing by setting up convincing landing pages that imitate popular crypto services with the goal of transferring Ethereum and NFTs from the hacked wallets.

This, according to Recorded Future, is achieved by injecting a crypto drainer script into the phishing page which lures victims into connecting their wallets with lucrative offers to mint non-fungible tokens (NFTs).

Such ready-made phishing pages are being sold on darknet forums as part of what’s called a phishing-as-a-service (PhaaS) scheme, permitting other actors to rent out these packages and swiftly enact malicious operations at scale.

“‘Crypto drainers’ are malicious scripts that function like e-skimmers and are deployed with phishing techniques to steal victims’ crypto assets,” the company said in a report published last week, describing the scams as effective and growing in popularity.

“The use of legitimate services on crypto drainer phishing pages may increase the likelihood that the phishing page will pass an otherwise savvy user’s ‘scam litmus test.’ Once crypto wallets have been compromised, no safeguards exist to prevent the illicit transfer of assets to attackers’ wallets.”

The assaults come at a time when criminal groups have stolen a record-breaking $3.8 billion from crypto businesses in 2022, with much of the spike attributed to North Korean state-sponsored hacking crews.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.