{"id":50503,"date":"2023-02-09T00:00:00","date_gmt":"2023-02-09T00:00:00","guid":{"rendered":"urn:uuid:c534bba7-e8cf-eba1-c06f-83ba2961a114"},"modified":"2023-02-09T00:00:00","modified_gmt":"2023-02-09T00:00:00","slug":"enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/","title":{"rendered":"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Enigme-Stealer-cover.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,endpoints,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-02-09\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\"> <title>Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\"><br \/>\n<meta property=\"og:title\" content=\"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs\"><br \/>\n<meta property=\"og:description\" content=\"We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Enigme-Stealer-cover.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs\"><br \/>\n<meta name=\"twitter:description\" content=\"We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Enigme-Stealer-cover.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.215811965812\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1310375746\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2287234042553\">\n<div class=\"article-details\" role=\"heading\" readability=\"35.81914893617\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures.<\/p>\n<p class=\"article-details__author-by\">By: Aliakbar Zahravi, Peter Girnus <time class=\"article-details__date\">February 09, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>We recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the cryptocurrency industry to install an information stealer. In this campaign, the suspected Russian threat actors, use several highly obfuscated and underdevelopment custom loaders in order to infect those involved in the cryptocurrency industry with Enigma stealer (detected as TrojanSpy.MSIL.ENGIMASTEALER.YXDBC), which is a modified version of the Stealerium information stealer. In addition to these loaders, the attacker also exploits CVE-2015-2291, an Intel driver vulnerability, to load a malicious driver designed to reduce the token integrity of Microsoft Defender.<\/p>\n<p>Stealerium, the original information stealer which serves as the base for Enigma Stealer, is an open-source project written in C# and markets itself as a stealer, clipper, and keylogger with logging capabilities using the Telegram API. Security teams and individual users are advised to continuously update the security solutions of their systems and remain vigilant against threat actors who perform social engineering via job opportunity or salary increase-related lures.<\/p>\n<p><span class=\"body-subhead-title\">Attack Chain<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"2f1cf1\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer-1-Diagram.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer-1-Diagram.jpg\" alt=\"Figure 1. The Attack kill chain used by Enigma Stealer operator\"> <\/a><figcaption>Figure 1. The Attack kill chain used by Enigma Stealer operator (click the image for a larger version)<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p><span class=\"body-subhead-title\">Using fake cryptocurrency interviews to lure victims<\/span><\/p>\n<p>The infection chain starts with a malicious RAR archive \u2014 in this instance, contract.rar (SHA256: 658725fb5e75ebbcb03bc46d44f048a0f145367eff66c8a1a9dc84eef777a9cc) \u2014 which is distributed to victims via phishing attempts or through social media. The archive contains the files, Interview questions.txt, and Interview conditions.word.exe.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"f3ccea\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%202.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%202.jpg\" alt=\"Figure 2. The files found inside the malicious RAR archive\"> <\/a><figcaption>Figure 2. The files found inside the malicious RAR archive<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>These files set up the pretext for a fake cryptocurrency role or job opening. One file, Interview questions.txt (SHA256: 3a1eb6fabf45d18869de4ffd773ae82949ef80f89105e5f96505de810653ed73) contains sample interview questions written in Cyrillic. This serves to further legitimize the package in the eyes of the victim and draw attention away from the malicious binary.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d084e4\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%203.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%203.jpg\" alt=\"Figure 3. A machine translation of Interview questions.txt\"> <\/a><figcaption>Figure 3. A machine translation of Interview questions.txt<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p>The other file Interview conditions.word.exe (SHA256: 03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23) contains the first stage Enigma loader. This file, which also masquerades as a legitimate word document, is designed to lure unsuspecting victims into executing the loader. Once executed, the Enigma loader begins the registration and downloading of the second-stage payload.<\/p>\n<p><span class=\"body-subhead-title\">Analysis of the Enigma infrastructure<\/span><\/p>\n<p>Enigma uses two servers in its operation. The first utilizes Telegram for delivering payloads, sending commands, and receiving the payload heartbeat. The second server 193[.]56[.]146[.]29 is used for DevOps and logging purposes. At each stage the payload sends its execution log to the logging server. Since this malware is under continuous development the attacker potentially uses the logging server to improve malware performance. We have also identified the Amadey C2 panel on 193[.]56[.]146[.]29 which has only one sample (95b4de74daadf79f0e0eef7735ce80bc) communicating with it.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"eda6a5\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%204.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%204.jpg\" alt=\"Figure 4. Amadey C&amp;C login page\"> <\/a><figcaption>Figure 4. Amadey C&amp;C login page<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Amadey is a popular botnet that is sold on Russian speaking forums, but its source code has been leaked online. Amadey offers threat actors polling and reconnaissance services.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"bf78a7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%205.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%205.jpg\" alt=\"Figure 5. The exposed info.php page of the threat actors\u2019 command-and-control (C&amp;C) infrastructure\"> <\/a><figcaption>Figure 5. The exposed info.php page of the threat actors\u2019 command-and-control (C&amp;C) infrastructure<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>This server has a unique Linux distribution only referenced in Russian Linux forums.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"0f24ca\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%206.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%206.jpg\" alt=\"Figure 6. The default time zone of the C&amp;C server\"> <\/a><figcaption>Figure 6. The default time zone of the C&amp;C server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The default time zone on this server is set to Europe\/Moscow. This server registers a newly infected host when Interview conditions.word.exe is executed by the victim.<\/p>\n<p><span class=\"body-subhead-title\">Stage 1: EnigmaDownloader_s001<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody readability=\"3\">\n<tr readability=\"2\">\n<td><b>MD5<\/b><\/td>\n<td>1693D0A858B8FF3B83852C185880E459<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-1<\/b><\/td>\n<td>5F1536F573D9BFEF21A4E15273B5A9852D3D81F1<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-256<\/b><\/td>\n<td>03B9D7296B01E8F3FB3D12C4D80FE8A1BB0AB2FD76F33C5CE11B40729B75FB23<\/td>\n<\/tr>\n<tr>\n<td><b>File size<\/b><\/td>\n<td>367.00 KB (375808 bytes)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"47\">\n<div readability=\"39\">\n<p>The initial stage of Enigma, <i>Interview conditions.word.exe<\/i>, is a downloader written in C++. Its primary objective is to download, deobfuscate, decompress, and launch the secondary stage payload. The malware incorporates multiple tactics to avoid detection and complicate reverse engineering, such as API hashing, string encryption, and irrelevant code.<\/p>\n<p>Before delving into the analysis of &#8220;EngimaDownloader_s001,&#8221; let&#8217;s first examine how the malware decrypts strings and resolves hashed Windows APIs. By understanding this, we can implement an automated system to help us retrieve encrypted data and streamline the analysis process. Please be advised that to enhance code legibility, we have substituted all hashes with the corresponding function names.<\/p>\n<h3><span class=\"body-subhead-title\"><\/span><\/h3>\n<p>API hashing is a technique employed by malware to conceal the utilization of potentially suspicious APIs (functions) from static detection. This technique helps the malware disguise its activities and evade detection.<\/p>\n<p>It involves replacing the human-readable names of functions (such as &#8220;CreateMutexW&#8221;) with a hash value, such as 0x0FD43765A. The hash value is then used in the code to call the corresponding API function, rather than using the human-readable name. The purpose of this technique is to make the process of understanding the code more time-consuming and difficult.<\/p>\n<p>For API Hashing the EnigmaDownloader_s001 uses the following custom MurmurHash:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"5588f6\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%207.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%207.jpg\" alt=\"Figure 7. Custom implementation of murmur hash\"> <\/a><figcaption>Figure 7. Custom implementation of murmur hash<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>The malware employs dynamic API resolving to conceal its API imports and make static analysis more difficult. This technique involves storing the names or hashes of the APIs needed, then importing them dynamically at runtime.<\/p>\n<p>The Windows API offers LoadLibrary and GetProcAddress functions to facilitate this. LoadLibrary accepts the name of a DLL and returns a handle, which is then passed to GetProcAddress along with a function name to obtain a pointer to that function. To further evade detection, the malware author even implemented their own custom version of GetProcAddress to retrieve the address of functions such as LoadLibrary and others. The use of standard methods like GetProcAddress and LoadLibrary might raise a red flag, so the custom implementation helps to avoid detection.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"0511dd\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%208.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%208.jpg\" alt=\"Figure 8. Dynamic API loading\"> <\/a><figcaption>Figure 8. Dynamic API loading<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p>The following is a list of API hash values along with the names of functions that have been used in this sample (Please note that the hash value might be different in other variants since the malware author changed some of the constant values in the hash generator function).<\/p>\n<ul>\n<li><span class=\"blockquote\"><span class=\"rte-red-bullet\">0xE04A219 : kernel32_HeapCreate<br \/>0xA1ADA36 : kernel32_lstrcpyA<br \/>0x5097BB4 : kernel32_RegOpenKeyExA<br \/>0x750EFAB : kernel32_GetLastError<br \/>0x4CB039A : kernel32_RegQueryValueExA<br \/>0xAAF4498 : kernel32_RegCloseKey<br \/>0xFAD2A34 : kernel32_lstrcmpiA<br \/>0x11A198F : combase_CoCreateGuid<br \/>0xE94A809 : kernel32_RtlZeroMemory<br \/>0x6A6A154 : kernel32_lstrcatA<br \/>0x8150471 : ntdll_RtlAllocateHeap<br \/>0x4CF4539 : user32_wvsprintfW<br \/>0x663555F : kernel32_WideCharToMultiByte<br \/>0x59CADCE : ntdll_RtlFreeHeap<br \/>0x1CE543C : cabinet_CloseDecompressor<br \/>0x11CF0A2 : wininet_InternetGetConnectedState<br \/>0x675C7B2 : kernel32_Sleep<br \/>0xDC75FF2 : wininet_InternetCheckConnectionA<br \/>0x5CC35B1 : wininet_InternetSetOptionA<br \/>0xF9E8859 : wininet_InternetOpenA<br \/>0x6F05A9E : wininet_InternetConnectA<br \/>0xBAEECD9 : wininet_HttpOpenRequestA<br \/>0xAD9A77C : wininet_HttpSendRequestA<br \/>0x835FA71 : wininet_HttpQueryInfoA<br \/>0xBFA9532 : wininet_InternetReadFile<br \/>0x99D029C : wininet_InternetCloseHandle<br \/>0x8DABD38 : kernel32_GetFileAttributesW<br \/>0x44E1C18 : kernel32_DeleteFileW<br \/>0xAB69596 : kernel32_CreateFileW<br \/>0x2CF38A1 : kernel32_WriteFile<br \/>0x1CE43DE : kernel32_CloseHandle<br \/>0x548C5A4 : Rpcrt4_RpcStringBindingComposeW<br \/>0x7B0F79F : Rpcrt4_RpcBindingFromStringBindingW<br \/>0x69A2B62 : Rpcrt4_RpcStringFreeW<br \/>0xD2CD112 : advapi32_CreateWellKnownSid<br \/>0xEFBC2E9 : kernel32_LocalFree<br \/>0x60EDB01 : Rpcrt4_RpcBindingFree<br \/>0x7A7DAA0 : Rpcrt4_RpcAsyncInitializeHandle<br \/>0xB3F16FA : kernel32_CreateEventW<br \/>0x1C23B4F : Rpcrt4_NdrAsyncClientCall<br \/>0x8C1F37 : kernel32_WaitForSingleObject<br \/>0x7831640 : Rpcrt4_RpcRaiseException<br \/>0xF2FCCFE : Rpcrt4_RpcAsyncCompleteCall<br \/>0x816F545 : kernel32_SetLastError<br \/>0xFBE2D99 : oleaut32_SysAllocString<br \/>0x393ACB : oleaut32_SysFreeString<br \/>0xC9FEF5F : kernel32_ExpandEnvironmentStringsW<br \/>0x74D51D3 : kernel32_CreateProcessW<br \/>0xCDE9EC27 : wininet_HttpWebSocketClose<br \/>0x80C8449 : kernel32_TerminateProcess<br \/>0x418B4E7E : wininet_AppCacheCheckManifest<br \/>0x44E65EB : kernel32_WaitForDebugEvent<br \/>0x81C3F46 : kernel32_ContinueDebugEvent<br \/>0x1FB9EB2 : kernel32_LoadLibraryW<br \/>0x1071970 : kernel32_GetProcAddress<br \/>0xDAE6C9B : combase_CoInitializeEx<br \/>0xFD43765 : kernel32_CreateMutexW<br \/>0x73861029 : kernel32_BasepSetFileEncryptionCompression<br \/>0xA3FE987 : advapi32_RegDeleteKeyW<br \/>0x1CA6703 : advapi32_RegCreateKeyA<br \/>0x24EBD39 : kernel32_lstrlenA<br \/>0x69F38C6 : kernel32_RegSetValueExA<br \/>0xC2D33DC : ntdll_RtlGetVersion<br \/>0xBD5D03A : kernel32_GetNativeSystemInfo<br \/>0x10BEDD60 : wininet_CreateMD5SSOHash&nbsp;<\/span><\/span><\/li>\n<\/ul>\n<p>To resolve the API hash, the malware first passes two arguments to the &#8220;mw_resolveAPI&#8221; function. The first argument is the specific library name index number (in this case 0xA = <i>Kernel32.dll<\/i>), while the second argument is the export function name hashed value (which, in this example, is 0xFD43765A)<\/p>\n<p>The mw_resolveAPI function first finds the specific index, jumps to it, and decrypts the corresponding library name value as shown in the bottom image of Figure 9.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"184c35\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%209a.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%209a.jpg\" alt=\"Figure 9. Resolving API hashes\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"707489\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%209b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%209b.jpg\" alt=\"Figure 9. Resolving API hashes\"> <\/a><figcaption>Figure 9. Resolving API hashes<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>The following is the list of decrypted library names:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">WinInet.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">userenv.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">psapi.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">netapi32.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">mpr.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">wtsapi32.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">api-ms-win-core-processthreads-l1-1-0.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ntoskrnl.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Rpcrt4.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">User32.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">api-ms-win-core-com-l1-1-0.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Cabinet.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">shell32.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">OleAut32.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Ole32.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ntdll.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">mscoree.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">kernel32.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">advapi32.dll<\/span><\/li>\n<\/ul>\n<p>The library name and export function name hashed value is then passed to GetExportAddressByHash, which is responsible for opening the handle to the library, creating a hash for each export function name, and comparing it with the passed argument. Once the match is found, the malware returns the function address and calls it.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"0f49a8\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2010.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2010.jpg\" alt=\"Figure 10. Retrieving the address of an API\"> <\/a><figcaption>Figure 10. Retrieving the address of an API<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The code snippet in Figure 11 demonstrates how mw_GetExportAddressByHash resolves the given API hash and retrieves the address of an exported function. The techniques used to decrypt strings and resolve API hashes in both the stage 1 and stage 2 payloads are identical.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"0b1ac4\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2011.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2011.jpg\" alt=\"Figure 11. Custom implementation of GetProcAddress\"> <\/a><figcaption>Figure 11. Custom implementation of GetProcAddress<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>With an understanding of this process, we can then proceed with our analysis.<\/p>\n<p>Upon execution, the malware creates the mutual exclusion object (mutex) to mark its presence in the system and retrieves the MachineGuid of the infected system from the <i>SOFTWARE\\Microsoft\\Cryptography\\MachineGuid<\/i> registry key, which it uses as a unique identifier to register the system with its C&amp;C server and track its infection.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"ea2baa\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2012.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2012.jpg\" alt=\"Figure 12. Constructing a unique system identifier and creating a mutex\"> <\/a><figcaption>Figure 12. Constructing a unique system identifier and creating a mutex<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>It then deletes the <i>HKCU\\SOFTWARE\\Intel<\/i> registry key and recreates it with two values, <i>HWID<\/i> and <i>ID<\/i>, as shown in Figure 13.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"8ea66c\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2013.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2013.jpg\" alt=\"Figure 13. Recreating HKCU\\SOFTWARE\\Intel\"> <\/a><figcaption>Figure 13. Recreating HKCU\\SOFTWARE\\Intel<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>It then collects information about the .NET Framework Setup on the infected system and sends it to its C&amp;C server as shown in Figure 14.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"7b61f7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2014.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2014.jpg\" alt=\"Figure 14. Constructing first debug message\"> <\/a><figcaption>Figure 14. Constructing first debug message<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"49197b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2015.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2015.jpg\" alt=\"Figure 15. An example of the first debug message\"> <\/a><figcaption>Figure 15. An example of the first debug message<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>There are two C&amp;C servers that were used in this attack chain. The first one ,<i>193[.]56[.]146[.]29<\/i>, is used to send program execution DEBUG and Telegram to deliver payloads and send commands.<\/p>\n<p>To download the next stage payload, the malware first sends a request to the attacker-controlled Telegram channel <i>https:\/\/api[.]telegram[.]org\/bot{token}\/getFile<\/i> to obtain the file_path. This approach allows the attacker to continuously update and eliminates reliance on fixed file names.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"5ac963\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2016.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2016.jpg\" alt=\"Figure 16. Payload \u201cfile_path\u201d request from Telegram\"> <\/a><figcaption>Figure 16. Payload \u201cfile_path\u201d request from Telegram<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>Note that in this case, the next stage payload was <i>file_17.pack<\/i>. However, this file and other stage names were changed multiple times during our investigation.&nbsp;<\/p>\n<p>Upon obtaining the file_path, the malware then sends a request to download the next stage binary file (shown in Figure 17)<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"2ba4cf\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2017.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2017.jpg\" alt=\"Figure 17. Payload download request from Telegram\"> <\/a><figcaption>Figure 17. Payload download request from Telegram<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"3861f7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2018-l.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2018.jpg\" alt=\"Figure 18. The code responsible for decrypting the next stage payload file_id and Telegram token\"> <\/a><figcaption>Figure 18. The code responsible for decrypting the next stage payload file_id and Telegram token<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>If the file&#8217;s download, deobfuscation, and decompression are successful, the malware sends the message &#8220;bot getted&#8221; to the debug server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d7d066\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2019.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2019.jpg\" alt=\"Figure 19. Successful payload retrieval debug message\"> <\/a><figcaption>Figure 19. Successful payload retrieval debug message<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>To decompress the payload, the malware uses Microsoft Cabinet&#8217;s <i>Compressapi<\/i> with the compression algorithm (&#8220;COMPRESS_RAW&nbsp; | COMPRESS_ALGORITHM_LZMS&#8221;). The code snippet in Figure 20 demonstrates how the malware downloads, deobfuscates, and decompresses&nbsp; <i>file_17.pack<\/i> (<i>UpdateTask.dll<\/i>).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"8b2c5a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2020-1.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2020.jpg\" alt=\"Figure 20. Code responsible for downloading, deobfuscating, decompressing, and renaming the downloaded payload\"> <\/a><figcaption>Figure 20. Code responsible for downloading, deobfuscating, decompressing, and renaming the downloaded payload<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c196b0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2021-l.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2021.jpg\" alt=\"Figure 21. Payload deobfuscation and decompression\"> <\/a><figcaption>Figure 21. Payload deobfuscation and decompression<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"29.057251908397\">\n<div readability=\"11.791348600509\">\n<p>Before executing the payload, the malware attempts to elevate its privileges by executing the mw_UAC_bypass function, which is <a href=\"https:\/\/github.com\/aaaddress1\/PR0CESS\">part of an open-source project<\/a>. This technique, Calling Local Windows RPC Servers from .NET (which was <a href=\"https:\/\/googleprojectzero.blogspot.com\/2019\/12\/calling-local-windows-rpc-servers-from.html\">unveiled in 2019 by Project Zero<\/a>), allows a user to bypass user account control (UAC) using only two remote procedure call (RPC) requests instead of DLL hijacking.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"2f4194\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2022.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2022.jpg\" alt=\"Figure 22. Successful UAC bypass execution debug message\"> <\/a><figcaption>Figure 22. Successful UAC bypass execution debug message<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The malware requires elevated privileges for the subsequent stage payload, which involves loading the malicious driver by exploiting CVE-2015-2291.<\/p>\n<p>Finally, the malware executes an export function called &#8220;Entry&#8221; from <i>UpdateTask.dll<\/i> via <i>rundll32.exe<\/i> as shown in Figure 23.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"394f2d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2023-l.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2023.jpg\" alt=\"Figure 23. Running the stage 2 payload through rundll32.exe\"> <\/a><figcaption>Figure 23. Running the stage 2 payload through rundll32.exe<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><span class=\"body-subhead-title\">Stage 2: EngimaDownloader_s002<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody readability=\"3\">\n<tr readability=\"2\">\n<td><b>MD5<\/b><\/td>\n<td><sup><span class=\"rte-icon-component-text\">377f617ccd4aa09287d5221d5d8e1228<\/span><\/sup><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-1<\/b><\/td>\n<td><sup><span class=\"rte-icon-component-text\">288358deaa053b30596100c9841a7d6d1616908d<\/span><\/sup><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-256<\/b><\/td>\n<td><sup><span class=\"rte-icon-component-text\">f1623c2f7c00affa3985cf7b9cdf25e39320700fa9d69f9f9426f03054b4b712<\/span><\/sup><\/td>\n<\/tr>\n<tr>\n<td><b>File size<\/b><\/td>\n<td><sup><span class=\"rte-icon-component-text\">497.50 KB (509440 bytes)<\/span><\/sup><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>The second stage payload, <i>UpdatTask.dll<\/i>, is a dynamic-link library (DLL) written in C++ that comprises two export functions (DllEntryPoint and Entry). The malicious code is executed in the Entry export function, which is triggered by the first stage routine. The primary objective of this malware is to disable Microsoft Defender by deploying a malicious kernel mode driver (\u201cbring your own vulnerable driver\u201d or BYOVD method) via exploiting a vulnerable Intel driver (CVE-2015-2291) and then downloading and executing the third-stage payload.<\/p>\n<p>Please note that the first, second, and third-stage payloads all obtain the infected system&#8217;s MachineGuid at the start and use it to identify the machine in debug message network traffic, enabling the adversary to track the infected system&#8217;s malware execution state.<\/p>\n<p>Upon execution, the malware creates the mutex to mark its presence on the system and retrieves the MachineGuid of the infected system from the &#8220;SOFTWARE\\Microsoft\\Cryptography\\MachineGuid&#8221; registry key.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d1c88d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2024.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2024.jpg\" alt=\"Figure 24. Constructing a unique system identifier and creating a mutex\"> <\/a><figcaption>Figure 24. Constructing a unique system identifier and creating a mutex<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Next, the malware will determine if it is running as an account with administrator privileges or simply as a regular user using the GetTokenInformation API. If the malware fails to obtain elevated privileges, it will bypass the disablement of Windows Defender and proceed to download and execute the next stage of its attack.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"3b920d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2025.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2025.jpg\" alt=\"Figure 25. Checking the process privileges\"> <\/a><figcaption>Figure 25. Checking the process privileges<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>If the process successfully obtains elevated privileges, it proceeds to drop the files shown in Figure 26.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"cb547c\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2026.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2026.jpg\" alt=\"Figure 26. Stage 2 embedded binary files\"> <\/a><figcaption>Figure 26. Stage 2 embedded binary files<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody readability=\"5.5\">\n<tr readability=\"2\">\n<td><b>Name<\/b><\/td>\n<td>iQVW64.SYS (CVE-2015-2291)<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td><b>Description<\/b><\/td>\n<td>Vulnerable Intel driver, used for kernel exploitation<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>MD5<\/b><\/td>\n<td>1898ceda3247213c084f43637ef163b3<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-1<\/b><\/td>\n<td>d04e5db5b6c848a29732bfd52029001f23c3da75<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-256<\/b><\/td>\n<td>4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.898224043716\">\n<div class=\"responsive-table-wrap\" readability=\"11.426229508197\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody readability=\"4\">\n<tr>\n<td><b>Name<\/b><\/td>\n<td>Driver.SYS<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Description<\/b><\/td>\n<td>Malicious drivers reduce the token integrity of Microsoft defender (MsMpEng.exe)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>MD5<\/b><\/td>\n<td>28ca7a21de60671f3b528a9e08a44e1c<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-1<\/b><\/td>\n<td>21F1CFD310633863BABAAFE7E5E892AE311B42F6<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-256<\/b><\/td>\n<td>D5B4C2C95D9610623E681301869B1643E4E2BF0ADCA42EAC5D4D773B024FA442<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The malware uses an <a href=\"https:\/\/github.com\/TheCruZ\/kdmappe\">open-source project called KDMapper<\/a> to manually map non-signed\/self-signed drivers in memory by exploiting the <i>iqvw64e.sys<\/i> Intel driver. Testing on this has reportedly been conducted on Windows 10 version 1607 to Windows 11 version 22449.1. The functions intel_driver::Load() and kdmapper::MapDriver() are both responsible for achieving this task.<\/p>\n<p>The following snippet demonstrates the debug message related to drive loading and installation:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"9fdcde\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2027-l.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2027.jpg\" alt=\"Figure 27. Debug message for loading the driver and providing execution status\"> <\/a><figcaption>Figure 27. Debug message for loading the driver and providing execution status<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The malware then establishes persistence on the targeted system by creating scheduled tasks.&nbsp;&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"410b34\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2028.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2028.jpg\" alt=\"Figure 28. Malware persistence is achieved via scheduled tasks\"> <\/a><figcaption>Figure 28. Malware persistence is achieved via scheduled tasks (click the image for a larger version)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>Finally, the EngimaDownloader_s002 downloads and executes the next-stage payload on the infected system. To achieve this task, it employs similar techniques as those used in the first stage \u2014 the only difference, in this case, is that the malware is executing a .NET Assembly from C++ in memory using the CLR (Common Language Runtime) hosting technique.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"613298\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2029-l.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2029-l.jpg\" alt=\"Figure 29. The stage 3 .NET binary is executed via CLR hosting\"> <\/a><figcaption>Figure 29. The stage 3 .NET binary is executed via CLR hosting<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><span class=\"body-subhead-title\">Stage 2.1:&nbsp;Engima Driver analysis<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody readability=\"3\">\n<tr>\n<td><b>MD5<\/b><\/td>\n<td>Driver.SYS<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-1<\/b><\/td>\n<td>28CA7A21DE60671F3B528A9E08A44E1C<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-256<\/b><\/td>\n<td>21F1CFD310633863BABAAFE7E5E892AE311B42F6<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>File size<\/b><\/td>\n<td>D5B4C2C95D9610623E681301869B1643E4E2BF0ADCA42EAC5D4D773B024FA442<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"cea316\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2030.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2030.jpg\" alt=\"Figure 30. Microsoft defender token integrity modification before and after executing Enigma Driver\"> <\/a><figcaption>Figure 30. Microsoft defender token integrity modification before and after executing Enigma Driver<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The code snippets in Figure 31 demonstrate how the malware performs these operations.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"01da60\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2031.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2031.jpg\" alt=\"Figure 31. Integrity level patching\"> <\/a><figcaption>Figure 31. Integrity level patching<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c74ee0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2032.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2032.jpg\" alt=\"Figure 32. Details of the vulnerable Intel driver binary \"> <\/a><figcaption>Figure 32. Details of the vulnerable Intel driver binary <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"333a30\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2033a.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2033a.jpg\" alt=\"Figure 33. Details of the certificate of the vulnerable driver (top) and Enigma Driver (bottom) \"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"48616a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2033b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2033b.jpg\" alt=\"Figure 33. Details of the certificate of the vulnerable driver (top) and Enigma Driver (bottom) \"> <\/a><figcaption>Figure 33. Details of the certificate of the vulnerable driver (top) and Enigma Driver (bottom) <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><span class=\"body-subhead-title\">Stage 3: EngimaDownloader_s003<\/span><\/p>\n<p>The following table shows the details of Enigma.Bot.Net.exe.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody readability=\"3\">\n<tr readability=\"2\">\n<td><b>MD5<\/b><\/td>\n<td>50949ad2b39796411a4c7a88df0696c8<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-1<\/b><\/td>\n<td>67a502395fc4193721c2cfc39e31be11e124e02c<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-256<\/b><\/td>\n<td>8dc192914e55cf9f90841098ab0349dbe31825996de99237f35a1aab6d7905bb<\/td>\n<\/tr>\n<tr>\n<td><b>File size<\/b><\/td>\n<td>10.50 KB (10752 bytes)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>EngimaDownloader_s003 is a third-stage downloader written in C#. It is responsible for downloading, decompressing, and executing the final stealer payload on an infected system. The malware also accepts commands from a Telegram channel, though these commands may vary between variants.<\/p>\n<p><span class=\"blockquote\">stop<br \/>alive<br \/>runassembly<\/span><\/p>\n<p>Upon launch, the malware sends a &#8220;Bot started&#8221; message to both the Debug server and the Telegram channel, indicating its successful execution.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"a4f9e8\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2034.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2034.jpg\" alt=\"Figure 34. Stage 3 payload initialization\"> <\/a><figcaption>Figure 34. Stage 3 payload initialization<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>It then sends a GET request to&nbsp; https:\/\/api[.]telegram[.]org\/bot{token}\/getUpdates to retrieve the command. Upon receiving the runassembly command, the malware downloads the next part of the final stage payload (<i>file_19.pack<\/i>), decompresses it using the GZipStream API, and executes it.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"ae7d98\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2035.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2035.jpg\" alt=\"Figure 35. Stage 3 payload commands \"> <\/a><figcaption>Figure 35. Stage 3 payload commands <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"8570e2\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2036.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2036.jpg\" alt=\"Figure 36. An example of network communication between EngimaDownloader_s003 and the attacker\u2019s Telegram channel.\"> <\/a><figcaption>Figure 36. An example of network communication between EngimaDownloader_s003 and the attacker\u2019s Telegram channel.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<p><span class=\"body-subhead-title\">Stage 4: Enigma Stealer<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody readability=\"4\">\n<tr readability=\"2\">\n<td><b>MD5<\/b><\/td>\n<td>4DC2D57D9DB430235B21D7FB735ADF36<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-1<\/b><\/td>\n<td>98BF3080A85743AB933511D402E94D1BCEE0C545<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>SHA-256<\/b><\/td>\n<td>4D2FB518C9E23C5C70E70095BA3B63580CAFC4B03F7E6DCE2931C54895F13B2C<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>File size<\/b><\/td>\n<td>2954.75 KB (2954752 bytes)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The final stage is the Enigma Stealer which, as we previously mentioned, is a modified version of an open-source information stealer project called Stealerium.<\/p>\n<p>Upon execution, the malware initializes configuration and sets up its working directory.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"fa6271\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2037.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2037.jpg\" alt=\"Figure 37. Engima Stealer initialization\"> <\/a><figcaption>Figure 37. Engima Stealer initialization<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p>The malware configuration is as follows:<\/p>\n<p><span class=\"blockquote\">public static string Version = &#8220;0.05.01&#8221;;<br \/>public static string DebugMode = &#8220;0&#8221;;<br \/>public static string Mutex = &#8220;6C0560CE-2E75-4BB4-A26E-F08592A1D56D&#8221;;<br \/>public static string AntiAnalysis = &#8220;0&#8221;;<br \/>public static string Autorun = &#8220;1&#8221;;<br \/>public static string StartDelay = &#8220;0&#8221;;<br \/>public static string WebcamScreenshot = &#8220;1&#8221;;<br \/>public static string KeyloggerModule = &#8220;0&#8221;;<br \/>public static string ClipperModule = &#8220;0&#8221;;<br \/>public static string GrabberModule = &#8220;0&#8221;;<br \/>public static string TelegramToken = &#8220;5894962737:AAHAFZnz2AkLAyHC0G-7S2je9JMWWLJHGsU&#8221;;<br \/>public static string TelegramChatID = &#8220;5661436914&#8221;;<\/span><\/p>\n<p>It then starts to collect system information and steals user information, tokens, and passwords from various web browsers and applications such as Google Chrome, Microsoft Edge, Microsoft Outlook, Telegram, Signal, OpenVPN and others. It captures screenshots and extracts clipboard content and VPN configurations.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"6fc225\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2038.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2038.jpg\" alt=\"Figure 38. Enigma Stealer exfiltrating sensitive data\"> <\/a><figcaption>Figure 38. Enigma Stealer exfiltrating sensitive data<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>The collected information is then compressed and exfiltrated to the attacker via Telegram.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"8c3316\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2039.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2039.jpg\" alt=\"Figure 39. An example of data exfiltrated from the victim\u2019s system\"> <\/a><figcaption>Figure 39. An example of data exfiltrated from the victim\u2019s system<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"fd3a4d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2040.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2040.jpg\" alt=\"Figure 40. Data upload logic\"> <\/a><figcaption>Figure 40. Data upload logic<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>Figure 41 illustrates a sample of the network traffic generated by the malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"e82029\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2041.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2041.jpg\" alt=\"Figure 41. Network traffic of data upload to the attacker's telegram channel\"> <\/a><figcaption>Figure 41. Network traffic of data upload to the attacker&#8217;s telegram channel<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"014670\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2042.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2042.jpg\" alt=\"Figure 42. Enigma Stealer capabilities\"> <\/a><figcaption>Figure 42. Enigma Stealer capabilities<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>It&#8217;s worth mentioning that some strings, such as web browser paths and Geolocation API services URLs, are encrypted with the AES algorithm in cipher-block chaining (CBC) mode.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"77cb88\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2043.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/Enigma-Stealer%2043.jpg\" alt=\"Figure 43. String encryption logic\"> <\/a><figcaption>Figure 43. String encryption logic<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42.970155355683\">\n<div readability=\"33.998364677024\">\n<p>List of decrypted strings:<\/p>\n<p><span class=\"blockquote\">\\Chromium\\User Data\\<br \/>\\Google\\Chrome\\User Data\\<br \/>\\Google(x86)\\Chrome\\User Data\\<br \/>\\Opera Software\\<br \/>\\MapleStudio\\ChromePlus\\User Data\\<br \/>\\Iridium\\User Data\\<br \/>7Star\\7Star\\User Data<br \/>\/\/CentBrowser\\User Data<br \/>\/\/Chedot\\User Data<br \/>Vivaldi\\User Data<br \/>Kometa\\User Data<br \/>Elements Browser\\User Data<br \/>Epic Privacy Browser\\User Data<br \/>uCozMedia\\Uran\\User Data<br \/>Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer<br \/>CatalinaGroup\\Citrio\\User Data<br \/>Coowon\\Coowon\\User Data<br \/>liebao\\User Data<br \/>QIP Surf\\User Data<br \/>Orbitum\\User Data<br \/>Comodo\\Dragon\\User Data<br \/>Amigo\\User\\User Data<br \/>Torch\\User Data<br \/>Yandex\\YandexBrowser\\User Data<br \/>Comodo\\User Data<br \/>360Browser\\Browser\\User Data<br \/>Maxthon3\\User Data<br \/>K-Melon\\User Data<br \/>CocCoc\\Browser\\User Data<br \/>BraveSoftware\\Brave-Browser\\User Data<br \/>Microsoft\\Edge\\User Data<br \/>http:\/\/ip-api.com\/line\/?fields=hosting\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/iocs-enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs-tm.txt<br \/>https:\/\/api.mylnikov.org\/geolocation\/wifi?v=1.1&amp;bssid=<br \/>https:\/\/discordapp.com\/api\/v6\/users\/@me<\/span><\/p>\n<p>Similar to <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/north-korean-hackers-target-crypto-experts-with-fake-coinbase-job-offers\/\">previous campaigns<\/a> involving groups such as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/pl\/security\/news\/cybercrime-and-digital-threats\/a-look-into-the-lazarus-groups-operations\">Lazarus<\/a>, this campaign demonstrates a persistent and lucrative attack vector for various advanced persistent threat (APT) groups and threat actors. Through the use of employment lures, these actors can target individuals and organizations across the cryptocurrency and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/l\/web3-ipfs-only-used-for-phishing---so-far.html\">Web 3 sphere<\/a>. Furthermore, this case highlights the evolving nature of modular malware that employ highly obfuscated and evasive techniques along with the utilization of continuous integration and continuous delivery (CI\/CD) principles for continuous malware development.<\/p>\n<p>Organizations can protect themselves by remaining <a href=\"https:\/\/www.trendmicro.com\/en_ph\/what-is\/phishing.html\">vigilant against phishing attacks<\/a>. Furthermore, individuals are advised to remain cautious of social media posts or phishing attempts that offer job opportunities unless they are sure of their legitimacy. Due to current economic conditions, threat actors can be expected to continue to heavily deploy employment lures to target those seeking employment.<\/p>\n<p>Meanwhile, organizations should also consider cutting edge <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\">multilayered defensive strategy<\/a> and&nbsp; <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response\/xdr.html\">comprehensive security solution<\/a>s such as Trend Micro\u2122&nbsp;XDR that can detect, scan, and block malicious URLs across the modern threat landscape.<\/p>\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/iocs-enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs-trend.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":50504,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-50503","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-09T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Enigme-Stealer-cover.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs\",\"datePublished\":\"2023-02-09T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/\"},\"wordCount\":3544,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/\",\"name\":\"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.jpg\",\"datePublished\":\"2023-02-09T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.jpg\",\"width\":1667,\"height\":1250},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/","og_locale":"en_US","og_type":"article","og_title":"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-02-09T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Enigme-Stealer-cover.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs","datePublished":"2023-02-09T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/"},"wordCount":3544,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/","url":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/","name":"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.jpg","datePublished":"2023-02-09T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.jpg","width":1667,"height":1250},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50503"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50503\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/50504"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}