Researchers note an increase in the activity of malicious software aimed at owners of cryptocurrency accounts. Enigma, Vector and TgToxic are some of the most popular crypto threats of recent months.
Enigma is a modified version of Stealerium, an open source C# malware that acts as a stealer, clipper and keylogger. The path of infection begins with a malicious ".rar" archive, which is distributed through phishing job search platforms or social networks. The archive contains two files: a plain text document with a list of questions for the applicant and a Microsoft Word document that acts as a decoy. There, for example, may contain some information about the vacancy or organization. Everything is done to ensure that the victim does not have suspicions that he has downloaded malware. The above Microsoft Word file performs the first stage of downloading the Enigma malware.
“In order to download the next stage payload, the malware sends a request to a hacker-controlled Telegram channel to get the file path. This approach allows the attacker to constantly update malicious files, and also eliminates the dependence on fixed names of these files,” said Trend Micro researchers.
The second stage loader, which runs with elevated privileges, is designed to disable Microsoft Defender and install the third stage payload by deploying a legitimately signed Intel driver in kernel mode using a BYOVD attack.
The payload of the third stage is the Enigma Stealer itself. The malware, like other stealers, has the features of collecting confidential information, recording keystrokes, and capturing screenshots.
Another malicious program, called Vector Stealer, has also been actively used by cybercriminals recently. It has the ability to steal ".rdp" files, allowing RDP interception for remote access, according to Cyble's technical report.
Attack chains documented by cybersecurity companies show that malware family data is most often delivered to a victim's computer via Microsoft Office attachments containing malicious macros. Attackers still manage to successfully exploit this method, despite attempts by Microsoft to close the loophole.
On mobile devices, TgToxic can be included in the group of malware that targets cryptocurrency wallets. This is a banking trojan for Android that steals credentials and funds from crypto wallets, as well as from banking and financial applications. The TgToxic malicious campaign has been ongoing since July 2022 and is directed against mobile device users in Taiwan, Thailand and Indonesia.
“When a user downloads a fake app from a website provided by an attacker, the hacker tricks the victim into registering, installing malware, and enabling the necessary permissions,” Trend Micro researchers note.
However, social engineering campaigns have long gone beyond simple phishing. Attackers have recently created fake pages imitating popular crypto services in order to transfer Ethereum and NFT from hacked wallets. These pages are usually embedded with a Crypto Drainer script that forces victims to connect their wallets to the service, luring them with lucrative NFT minting offers.
"Crypto-Drainers are malicious scripts that function as electronic skimmers and are used in phishing techniques to steal victims’ crypto assets," Recorded Future said in a report.
According to publicly available data, in 2022, various criminal groups stole $3.8 billion worth of cryptocurrencies. A solid amount to think about the security of your crypto wallet. Most of these attacks are attributed to hacker groups sponsored by North Korea.