That dream crypto job offer is probably just malware

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Hackers have been found once again using the classic “fake crypto job” scam to distribute dangerous malware, experts have warned.

However, instead of the usual North Korean Lazarus Group, this time it’s the Russians trying to take advantage of gullible crypto workers. Cybersecurity researchers from Trend Micro recently observed unnamed Russian threat actors targeting workers in the cryptocurrency industry, located in Eastern Europe.

They would send out emails, inviting the victims to consider a new job offer at a crypto firm. The email would carry two attachments, one seemingly benign .txt file (titled “Interview Questions”) and one obviously malicious (titled “Interview Conditions.word.exe”).

Bring your own vulnerable driver

The attack is a three-step campaign: If the victim runs the executable, it downloads a second payload that abuses a vulnerability in an Intel driver, tracked as CVE-2015-2291. This method, commonly referred to as “Bring Your Own Vulnerable Driver”, allows threat actors to execute commands with Kernel privileges, and they use this ability to disable antivirus protection.

Once the antivirus is disabled, they trigger the download of the third payload, which is a variant of the Stealerium malware, named Enigma.

The malware, which gets pulled from a private Telegram channel, is capable of extracting system information, browser tokens, stored passwords (it targets virtually all popular browsers nowadays, including Chrome, Edge, Opera, etc.), data stored in Outlook, Telegram, Signal, OpenVPN, and more. What’s more, Enigma can grab screenshots and extract clipboard content. 

When it gets what it wants, Enigma zips it all up in a archive and sends it back via Telegram.

While fake job offers are usually something Lazarus Group does, Trend Micro believes that this time around, the group is of Russian origin. Apparently, one of the logging servers hosts an Amadey C2 panel, largely popular among Russian cybercriminals. Furthermore, the server runs “Deniska”, a Linux variant used almost exclusively by Russians - and the server’s default time zone is also set to Moscow.

Via: BleepingComputer (opens in new tab)

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.