[ad_1]
Enigma Stealer Targets Cryptocurrency Trade with Pretend Jobs
Malware
We found an energetic marketing campaign concentrating on Jap Europeans within the cryptocurrency business utilizing pretend job lures.
By: Aliakbar Zahravi, Peter Girnus
February 09, 2023
Learn time: ( phrases)
We lately discovered an energetic marketing campaign that makes use of a pretend employment pretext concentrating on Jap Europeans within the cryptocurrency business to put in an data stealer. On this marketing campaign, the suspected Russian risk actors, use a number of extremely obfuscated and underdevelopment customized loaders as a way to infect these concerned within the cryptocurrency business with Enigma stealer (detected as TrojanSpy.MSIL.ENGIMASTEALER.YXDBC), which is a modified model of the Stealerium data stealer. Along with these loaders, the attacker additionally exploits CVE-2015-2291, an Intel driver vulnerability, to load a malicious driver designed to scale back the token integrity of Microsoft Defender.
Stealerium, the unique data stealer which serves as the bottom for Enigma Stealer, is an open-source undertaking written in C# and markets itself as a stealer, clipper, and keylogger with logging capabilities utilizing the Telegram API. Safety groups and particular person customers are suggested to constantly replace the safety options of their programs and stay vigilant in opposition to risk actors who carry out social engineering through job alternative or wage increase-related lures.
Assault Chain
Determine 1. The Assault kill chain utilized by Enigma Stealer operator (click on the picture for a bigger model)
Utilizing pretend cryptocurrency interviews to lure victims
The an infection chain begins with a malicious RAR archive — on this occasion, contract.rar (SHA256: 658725fb5e75ebbcb03bc46d44f048a0f145367eff66c8a1a9dc84eef777a9cc) — which is distributed to victims through phishing makes an attempt or via social media. The archive accommodates the information, Interview questions.txt, and Interview circumstances.phrase.exe.
Determine 2. The information discovered contained in the malicious RAR archive
These information arrange the pretext for a pretend cryptocurrency function or job opening. One file, Interview questions.txt (SHA256: 3a1eb6fabf45d18869de4ffd773ae82949ef80f89105e5f96505de810653ed73) accommodates pattern interview questions written in Cyrillic. This serves to additional legitimize the bundle within the eyes of the sufferer and draw consideration away from the malicious binary.
Determine 3. A machine translation of Interview questions.txt
The opposite file Interview circumstances.phrase.exe (SHA256: 03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23) accommodates the primary stage Enigma loader. This file, which additionally masquerades as a reliable phrase doc, is designed to lure unsuspecting victims into executing the loader. As soon as executed, the Enigma loader begins the registration and downloading of the second-stage payload.
Evaluation of the Enigma infrastructure
Enigma makes use of two servers in its operation. The primary makes use of Telegram for delivering payloads, sending instructions, and receiving the payload heartbeat. The second server 193[.]56[.]146[.]29 is used for DevOps and logging functions. At every stage the payload sends its execution log to the logging server. Since this malware is beneath steady growth the attacker doubtlessly makes use of the logging server to enhance malware efficiency. We’ve additionally recognized the Amadey C2 panel on 193[.]56[.]146[.]29 which has just one pattern (95b4de74daadf79f0e0eef7735ce80bc) speaking with it.
Determine 4. Amadey C&C login web page
Amadey is a well-liked botnet that’s offered on Russian talking boards, however its supply code has been leaked on-line. Amadey affords risk actors polling and reconnaissance providers.
Determine 5. The uncovered data.php web page of the risk actors’ command-and-control (C&C) infrastructure
This server has a singular Linux distribution solely referenced in Russian Linux boards.
Determine 6. The default time zone of the C&C server
The default time zone on this server is about to Europe/Moscow. This server registers a newly contaminated host when Interview circumstances.phrase.exe is executed by the sufferer.
Stage 1: EnigmaDownloader_s001
MD5
SHA-1
SHA-256
File dimension
1693D0A858B8FF3B83852C185880E459
5F1536F573D9BFEF21A4E15273B5A9852D3D81F1
03B9D7296B01E8F3FB3D12C4D80FE8A1BB0AB2FD76F33C5CE11B40729B75FB23
367.00 KB (375808 bytes)
The preliminary stage of Enigma, Interview circumstances.phrase.exe, is a downloader written in C++. Its major goal is to obtain, deobfuscate, decompress, and launch the secondary stage payload. The malware incorporates a number of ways to keep away from detection and complicate reverse engineering, resembling API hashing, string encryption, and irrelevant code.
Earlier than delving into the evaluation of “EngimaDownloader_s001,” let’s first look at how the malware decrypts strings and resolves hashed Home windows APIs. By understanding this, we are able to implement an automatic system to assist us retrieve encrypted information and streamline the evaluation course of. Please be suggested that to boost code legibility, now we have substituted all hashes with the corresponding perform names.
API hashing is a method employed by malware to hide the utilization of probably suspicious APIs (capabilities) from static detection. This method helps the malware disguise its actions and evade detection.
It includes changing the human-readable names of capabilities (resembling “CreateMutexW”) with a hash worth, resembling 0x0FD43765A. The hash worth is then used within the code to name the corresponding API perform, fairly than utilizing the human-readable title. The aim of this system is to make the method of understanding the code extra time-consuming and troublesome.
For API Hashing the EnigmaDownloader_s001 makes use of the next customized MurmurHash:
Determine 7. Customized implementation of murmur hash
The malware employs dynamic API resolving to hide its API imports and make static evaluation harder. This method includes storing the names or hashes of the APIs wanted, then importing them dynamically at runtime.
The Home windows API affords LoadLibrary and GetProcAddress capabilities to facilitate this. LoadLibrary accepts the title of a DLL and returns a deal with, which is then handed to GetProcAddress together with a perform title to acquire a pointer to that perform. To additional evade detection, the malware creator even applied their very own customized model of GetProcAddress to retrieve the deal with of capabilities resembling LoadLibrary and others. Using commonplace strategies like GetProcAddress and LoadLibrary would possibly elevate a pink flag, so the customized implementation helps to keep away from detection.
Determine 8. Dynamic API loading
The next is a listing of API hash values together with the names of capabilities which were used on this pattern (Please word that the hash worth is perhaps totally different in different variants for the reason that malware creator modified a number of the fixed values within the hash generator perform).
0xE04A219 : kernel32_HeapCreate0xA1ADA36 : kernel32_lstrcpyA0x5097BB4 : kernel32_RegOpenKeyExA0x750EFAB : kernel32_GetLastError0x4CB039A : kernel32_RegQueryValueExA0xAAF4498 : kernel32_RegCloseKey0xFAD2A34 : kernel32_lstrcmpiA0x11A198F : combase_CoCreateGuid0xE94A809 : kernel32_RtlZeroMemory0x6A6A154 : kernel32_lstrcatA0x8150471 : ntdll_RtlAllocateHeap0x4CF4539 : user32_wvsprintfW0x663555F : kernel32_WideCharToMultiByte0x59CADCE : ntdll_RtlFreeHeap0x1CE543C : cabinet_CloseDecompressor0x11CF0A2 : wininet_InternetGetConnectedState0x675C7B2 : kernel32_Sleep0xDC75FF2 : wininet_InternetCheckConnectionA0x5CC35B1 : wininet_InternetSetOptionA0xF9E8859 : wininet_InternetOpenA0x6F05A9E : wininet_InternetConnectA0xBAEECD9 : wininet_HttpOpenRequestA0xAD9A77C : wininet_HttpSendRequestA0x835FA71 : wininet_HttpQueryInfoA0xBFA9532 : wininet_InternetReadFile0x99D029C : wininet_InternetCloseHandle0x8DABD38 : kernel32_GetFileAttributesW0x44E1C18 : kernel32_DeleteFileW0xAB69596 : kernel32_CreateFileW0x2CF38A1 : kernel32_WriteFile0x1CE43DE : kernel32_CloseHandle0x548C5A4 : Rpcrt4_RpcStringBindingComposeW0x7B0F79F : Rpcrt4_RpcBindingFromStringBindingW0x69A2B62 : Rpcrt4_RpcStringFreeW0xD2CD112 : advapi32_CreateWellKnownSid0xEFBC2E9 : kernel32_LocalFree0x60EDB01 : Rpcrt4_RpcBindingFree0x7A7DAA0 : Rpcrt4_RpcAsyncInitializeHandle0xB3F16FA : kernel32_CreateEventW0x1C23B4F : Rpcrt4_NdrAsyncClientCall0x8C1F37 : kernel32_WaitForSingleObject0x7831640 : Rpcrt4_RpcRaiseException0xF2FCCFE : Rpcrt4_RpcAsyncCompleteCall0x816F545 : kernel32_SetLastError0xFBE2D99 : oleaut32_SysAllocString0x393ACB : oleaut32_SysFreeString0xC9FEF5F : kernel32_ExpandEnvironmentStringsW0x74D51D3 : kernel32_CreateProcessW0xCDE9EC27 : wininet_HttpWebSocketClose0x80C8449 : kernel32_TerminateProcess0x418B4E7E : wininet_AppCacheCheckManifest0x44E65EB : kernel32_WaitForDebugEvent0x81C3F46 : kernel32_ContinueDebugEvent0x1FB9EB2 : kernel32_LoadLibraryW0x1071970 : kernel32_GetProcAddress0xDAE6C9B : combase_CoInitializeEx0xFD43765 : kernel32_CreateMutexW0x73861029 : kernel32_BasepSetFileEncryptionCompression0xA3FE987 : advapi32_RegDeleteKeyW0x1CA6703 : advapi32_RegCreateKeyA0x24EBD39 : kernel32_lstrlenA0x69F38C6 : kernel32_RegSetValueExA0xC2D33DC : ntdll_RtlGetVersion0xBD5D03A : kernel32_GetNativeSystemInfo0x10BEDD60 : wininet_CreateMD5SSOHash
To resolve the API hash, the malware first passes two arguments to the “mw_resolveAPI” perform. The primary argument is the precise library title index quantity (on this case 0xA = Kernel32.dll), whereas the second argument is the export perform title hashed worth (which, on this instance, is 0xFD43765A)
The mw_resolveAPI perform first finds the precise index, jumps to it, and decrypts the corresponding library title worth as proven within the backside picture of Determine 9.
Determine 9. Resolving API hashes
The next is the listing of decrypted library names:
WinInet.dll
userenv.dll
psapi.dll
netapi32.dll
mpr.dll
wtsapi32.dll
api-ms-win-core-processthreads-l1-1-0.dll
ntoskrnl.exe
Rpcrt4.dll
User32.dll
api-ms-win-core-com-l1-1-0.dll
Cupboard.dll
shell32.dll
OleAut32.dll
Ole32.dll
ntdll.dll
mscoree.dll
kernel32.dll
advapi32.dll
The library title and export perform title hashed worth is then handed to GetExportAddressByHash, which is answerable for opening the deal with to the library, making a hash for every export perform title, and evaluating it with the handed argument. As soon as the match is discovered, the malware returns the perform deal with and calls it.
Determine 10. Retrieving the deal with of an API
The code snippet in Determine 11 demonstrates how mw_GetExportAddressByHash resolves the given API hash and retrieves the deal with of an exported perform. The strategies used to decrypt strings and resolve API hashes in each the stage 1 and stage 2 payloads are similar.
Determine 11. Customized implementation of GetProcAddress
With an understanding of this course of, we are able to then proceed with our evaluation.
Upon execution, the malware creates the mutual exclusion object (mutex) to mark its presence within the system and retrieves the MachineGuid of the contaminated system from the SOFTWAREMicrosoftCryptographyMachineGuid registry key, which it makes use of as a singular identifier to register the system with its C&C server and observe its an infection.
Determine 12. Setting up a singular system identifier and making a mutex
It then deletes the HKCUSOFTWAREIntel registry key and recreates it with two values, HWID and ID, as proven in Determine 13.
Determine 13. Recreating HKCUSOFTWAREInte
It then collects details about the .NET Framework Setup on the contaminated system and sends it to its C&C server as proven in Determine 14.
Determine 14. Setting up first debug message
Determine 15. An instance of the primary debug message
There are two C&C servers that had been used on this assault chain. The primary one ,193[.]56[.]146[.]29, is used to ship program execution DEBUG and Telegram to ship payloads and ship instructions.
To obtain the subsequent stage payload, the malware first sends a request to the attacker-controlled Telegram channel https://api[.]telegram[.]org/bot{token}/getFile to acquire the file_path. This strategy permits the attacker to constantly replace and eliminates reliance on fastened file names.
Determine 16. Payload “file_path” request from Telegram
Word that on this case, the subsequent stage payload was file_17.pack. Nevertheless, this file and different stage names had been modified a number of instances throughout our investigation.
Upon acquiring the file_path, the malware then sends a request to obtain the subsequent stage binary file (proven in Determine 17)
Determine 17. Payload obtain request from Telegram
Determine 18. The code answerable for decrypting the subsequent stage payload file_id and Telegram token
If the file’s obtain, deobfuscation, and decompression are profitable, the malware sends the message “bot getted” to the debug server.
Determine 19. Profitable payload retrieval debug message
To decompress the payload, the malware makes use of Microsoft Cupboard’s Compressapi with the compression algorithm (“COMPRESS_RAW | COMPRESS_ALGORITHM_LZMS”). The code snippet in Determine 20 demonstrates how the malware downloads, deobfuscates, and decompresses file_17.pack (UpdateTask.dll).
Determine 20. Code answerable for downloading, deobfuscating, decompressing, and renaming the downloaded payload
Determine 21. Payload deobfuscation and decompression
Earlier than executing the payload, the malware makes an attempt to raise its privileges by executing the mw_UAC_bypass perform, which is a part of an open-source undertaking. This method, Calling Native Home windows RPC Servers from .NET (which was unveiled in 2019 by Undertaking Zero), permits a consumer to bypass consumer account management (UAC) utilizing solely two distant process name (RPC) requests as an alternative of DLL hijacking.
Determine 22. Profitable UAC bypass execution debug message
The malware requires elevated privileges for the following stage payload, which includes loading the malicious driver by exploiting CVE-2015-2291.
Lastly, the malware executes an export perform known as “Entry” from UpdateTask.dll through rundll32.exe as proven in Determine 23.
Determine 23. Operating the stage 2 payload via rundll32.exe
Stage 2: EngimaDownloader_s002
The second stage payload, UpdatTask.dll, is a dynamic-link library (DLL) written in C++ that contains two export capabilities (DllEntryPoint and Entry). The malicious code is executed within the Entry export perform, which is triggered by the primary stage routine. The first goal of this malware is to disable Microsoft Defender by deploying a malicious kernel mode driver (“deliver your individual susceptible driver” or BYOVD technique) through exploiting a susceptible Intel driver (CVE-2015-2291) after which downloading and executing the third-stage payload.
Please word that the primary, second, and third-stage payloads all acquire the contaminated system’s MachineGuid at first and use it to determine the machine in debug message community visitors, enabling the adversary to trace the contaminated system’s malware execution state.
Upon execution, the malware creates the mutex to mark its presence on the system and retrieves the MachineGuid of the contaminated system from the “SOFTWAREMicrosoftCryptographyMachineGuid” registry key.
Determine 24. Setting up a singular system identifier and making a mutex
Subsequent, the malware will decide whether it is operating as an account with administrator privileges or just as a daily consumer utilizing the GetTokenInformation API. If the malware fails to acquire elevated privileges, it is going to bypass the disablement of Home windows Defender and proceed to obtain and execute the subsequent stage of its assault.
Determine 25. Checking the method privileges
If the method efficiently obtains elevated privileges, it proceeds to drop the information proven in Determine 26.
Determine 26. Stage 2 embedded binary information
Identify
MD5
SHA-1
SHA-256
iQVW64.SYS (CVE-2015-2291)
Susceptible Intel driver, used for kernel exploitation
1898ceda3247213c084f43637ef163b3
d04e5db5b6c848a29732bfd52029001f23c3da75
4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
Driver.SYSMalicious drivers scale back the token integrity of Microsoft defender (MsMpEng.exe)
28ca7a21de60671f3b528a9e08a44e1c
21F1CFD310633863BABAAFE7E5E892AE311B42F6
D5B4C2C95D9610623E681301869B1643E4E2BF0ADCA42EAC5D4D773B024FA442
The malware makes use of an open-source undertaking known as KDMapper to manually map non-signed/self-signed drivers in reminiscence by exploiting the iqvw64e.sys Intel driver. Testing on this has reportedly been carried out on Home windows 10 model 1607 to Home windows 11 model 22449.1. The capabilities intel_driver::Load() and kdmapper::MapDriver() are each answerable for reaching this process.
The next snippet demonstrates the debug message associated to drive loading and set up:
Determine 27. Debug message for loading the driving force and offering execution standing
The malware then establishes persistence on the focused system by creating scheduled duties.
Determine 28. Malware persistence is achieved through scheduled duties (click on the picture for a bigger model)
Lastly, the EngimaDownloader_s002 downloads and executes the next-stage payload on the contaminated system. To attain this process, it employs comparable strategies as these used within the first stage — the one distinction, on this case, is that the malware is executing a .NET Meeting from C++ in reminiscence utilizing the CLR (Frequent Language Runtime) internet hosting approach.
Determine 29. The stage 3 .NET binary is executed through CLR internet hosting
Stage 2.1: Engima Driver evaluation
Identify
MD5
SHA-1
SHA-256
Driver.SYS
28ca7a21de60671f3b528a9e08a44e1c
21F1CFD310633863BABAAFE7E5E892AE311B42F6
D5B4C2C95D9610623E681301869B1643E4E2BF0ADCA42EAC5D4D773B024FA442
Determine 30. Microsoft defender token integrity modification earlier than and after executing Enigma Driver
The code snippets in Determine 31 show how the malware performs these operations.
Determine 31. Integrity degree patching
Determine 32. Particulars of the susceptible Intel driver binary
Determine 33. Particulars of the certificates of the susceptible driver (prime) and Enigma Driver (backside)
Stage 3: EngimaDownloader_s003
The next desk reveals the main points of Enigma.Bot.Internet.exe.
MD5
SHA-1
SHA-256
File dimension
50949ad2b39796411a4c7a88df0696c8
67a502395fc4193721c2cfc39e31be11e124e02c
8dc192914e55cf9f90841098ab0349dbe31825996de99237f35a1aab6d7905bb
10.50 KB (10752 bytes)
EngimaDownloader_s003 is a third-stage downloader written in C#. It’s answerable for downloading, decompressing, and executing the ultimate stealer payload on an contaminated system. The malware additionally accepts instructions from a Telegram channel, although these instructions might fluctuate between variants.
stopaliverunassembly
Upon launch, the malware sends a “Bot began” message to each the Debug server and the Telegram channel, indicating its profitable execution.
Determine 34. Stage 3 payload initialization
It then sends a GET request to https://api[.]telegram[.]org/bot{token}/getUpdates to retrieve the command. Upon receiving the runassembly command, the malware downloads the subsequent a part of the ultimate stage payload (file_19.pack), decompresses it utilizing the GZipStream API, and executes it.
Determine 35. Stage 3 payload instructions
Determine 36. An instance of community communication between EngimaDownloader_s003 and the attacker’s Telegram channel.
MD5
SHA-1
SHA-256
File dimension
4DC2D57D9DB430235B21D7FB735ADF36
98BF3080A85743AB933511D402E94D1BCEE0C545
4D2FB518C9E23C5C70E70095BA3B63580CAFC4B03F7E6DCE2931C54895F13B2C
2954.75 KB (2954752 bytes)
The ultimate stage is the Enigma Stealer which, as we beforehand talked about, is a modified model of an open-source data stealer undertaking known as Stealerium.
Upon execution, the malware initializes configuration and units up its working listing.
Determine 37. Engima Stealer initialization
The malware configuration is as follows:
public static string Model = “0.05.01”;public static string DebugMode = “0”;public static string Mutex = “6C0560CE-2E75-4BB4-A26E-F08592A1D56D”;public static string AntiAnalysis = “0”;public static string Autorun = “1”;public static string StartDelay = “0”;public static string WebcamScreenshot = “1”;public static string KeyloggerModule = “0”;public static string ClipperModule = “0”;public static string GrabberModule = “0”;public static string TelegramToken = “5894962737:AAHAFZnz2AkLAyHC0G-7S2je9JMWWLJHGsU”;public static string TelegramChatID = “5661436914”;
It then begins to gather system data and steals consumer data, tokens, and passwords from varied internet browsers and purposes resembling Google Chrome, Microsoft Edge, Microsoft Outlook, Telegram, Sign, OpenVPN and others. It captures screenshots and extracts clipboard content material and VPN configurations.
Determine 38. Enigma Stealer exfiltrating delicate information
The collected data is then compressed and exfiltrated to the attacker through Telegram.
Determine 39. An instance of information exfiltrated from the sufferer’s system
Determine 40. Information add logic
Determine 41 illustrates a pattern of the community visitors generated by the malware.
Determine 41. Community visitors of information add to the attacker’s telegram channel
Determine 42. Enigma Stealer capabilities
It is value mentioning that some strings, resembling internet browser paths and Geolocation API providers URLs, are encrypted with the AES algorithm in cipher-block chaining (CBC) mode.
Determine 43. String encryption logic
Listing of decrypted strings:
ChromiumUser DataGoogleChromeUser DataGoogle(x86)ChromeUser DataOpera SoftwareMapleStudioChromePlusUser DataIridiumUser Data7Star7StarUser Information//CentBrowserUser Information//ChedotUser DataVivaldiUser DataKometaUser DataElements BrowserUser DataEpic Privateness BrowserUser DatauCozMediaUranUser DataFenrir IncSleipnir5settingmodulesChromiumViewerCatalinaGroupCitrioUser DataCoowonCoowonUser DataliebaoUser DataQIP SurfUser DataOrbitumUser DataComodoDragonUser DataAmigoUserUser DataTorchUser DataYandexYandexBrowserUser DataComodoUser Data360BrowserBrowserUser DataMaxthon3User DataK-MelonUser DataCocCocBrowserUser DataBraveSoftwareBrave-BrowserUser DataMicrosoftEdgeUser Datahttp://ip-api.com/line/?fields=hostinghttps://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=https://discordapp.com/api/v6/customers/@me
Just like earlier campaigns involving teams resembling Lazarus, this marketing campaign demonstrates a persistent and profitable assault vector for varied superior persistent risk (APT) teams and risk actors. By using employment lures, these actors can goal people and organizations throughout the cryptocurrency and Internet 3 sphere. Moreover, this case highlights the evolving nature of modular malware that make use of extremely obfuscated and evasive strategies together with the utilization of steady integration and steady supply (CI/CD) rules for steady malware growth.
Organizations can defend themselves by remaining vigilant in opposition to phishing assaults. Moreover, people are suggested to stay cautious of social media posts or phishing makes an attempt that supply job alternatives until they’re positive of their legitimacy. On account of present financial circumstances, risk actors might be anticipated to proceed to closely deploy employment lures to focus on these looking for employment.
In the meantime, organizations must also take into account innovative multilayered defensive technique and complete safety options resembling Pattern Micro™ XDR that may detect, scan, and block malicious URLs throughout the fashionable risk panorama.
The symptoms of compromise for this entry might be discovered right here.
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
[ad_2]