That dream crypto job offer is probably just malware

Hackers have been found once again using the classic “fake crypto job” scam to distribute dangerous malware , experts have warned. However...

Hackers have been found once again using the classic “fake crypto job” scam to distribute dangerous malware, experts have warned.

However, instead of the usual North Korean Lazarus Group, this time it’s the Russians trying to take advantage of gullible crypto workers. Cybersecurity researchers from Trend Micro recently observed unnamed Russian threat actors targeting workers in the cryptocurrency industry, located in Eastern Europe.

They would send out emails, inviting the victims to consider a new job offer at a crypto firm. The email would carry two attachments, one seemingly benign .txt file (titled “Interview Questions”) and one obviously malicious (titled “Interview Conditions.word.exe”).

Bring your own vulnerable driver

The attack is a three-step campaign: If the victim runs the executable, it downloads a second payload that abuses a vulnerability in an Intel driver, tracked as CVE-2015-2291. This method, commonly referred to as “Bring Your Own Vulnerable Driver”, allows threat actors to execute commands with Kernel privileges, and they use this ability to disable antivirus protection.

Once the antivirus is disabled, they trigger the download of the third payload, which is a variant of the Stealerium malware, named Enigma.

The malware, which gets pulled from a private Telegram channel, is capable of extracting system information, browser tokens, stored passwords (it targets virtually all popular browsers nowadays, including Chrome, Edge, Opera, etc.), data stored in Outlook, Telegram, Signal, OpenVPN, and more. What’s more, Enigma can grab screenshots and extract clipboard content. 

When it gets what it wants, Enigma zips it all up in a archive and sends it back via Telegram.

While fake job offers are usually something Lazarus Group does, Trend Micro believes that this time around, the group is of Russian origin. Apparently, one of the logging servers hosts an Amadey C2 panel, largely popular among Russian cybercriminals. Furthermore, the server runs “Deniska”, a Linux variant used almost exclusively by Russians - and the server’s default time zone is also set to Moscow.

Via: BleepingComputer

from TechRadar - All the latest technology news



Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25001,TrendlyNews,13,Video,5,XIAOMI,13,YouTube - 9to5Google,12,
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: That dream crypto job offer is probably just malware
That dream crypto job offer is probably just malware
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy