That dream crypto job offer is probably just malware
Fake job offers are now being used by Russian hackers
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Hackers have been found once again using the classic “fake crypto job” scam to distribute dangerousmalware, experts have warned.
However, instead of the usual North Korean Lazarus Group, this time it’s the Russians trying to take advantage of gullible crypto workers. Cybersecurity researchers from Trend Micro recently observed unnamed Russian threat actors targeting workers in the cryptocurrency industry, located in Eastern Europe.
They would send out emails, inviting the victims to consider a new job offer at a crypto firm. The email would carry two attachments, one seemingly benign .txt file (titled “Interview Questions”) and one obviously malicious (titled “Interview Conditions.word.exe”).
Bring your own vulnerable driver
The attack is a three-step campaign: If the victim runs the executable, it downloads a second payload that abuses a vulnerability in anInteldriver, tracked as CVE-2015-2291. This method, commonly referred to as “Bring Your Own Vulnerable Driver”, allows threat actors to execute commands with Kernel privileges, and they use this ability to disable antivirus protection.
Once the antivirus is disabled, they trigger the download of the third payload, which is a variant of the Stealerium malware, named Enigma.
Check out the best firewalls today>This fake job offer scam will just infect your device with deadly malware>These fake US government job ads are spreading more malware
The malware, which gets pulled from a private Telegram channel, is capable of extracting system information,browsertokens, stored passwords (it targets virtually all popular browsers nowadays, including Chrome, Edge, Opera, etc.), data stored in Outlook, Telegram, Signal, OpenVPN, and more. What’s more, Enigma can grab screenshots and extract clipboard content.
When it gets what it wants, Enigma zips it all up in a Data.zip archive and sends it back via Telegram.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While fake job offers are usually something Lazarus Group does, Trend Micro believes that this time around, the group is of Russian origin. Apparently, one of the logging servers hosts an Amadey C2 panel, largely popular among Russian cybercriminals. Furthermore, the server runs “Deniska”, a Linux variant used almost exclusively by Russians - and the server’s default time zone is also set to Moscow.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Your doctor may have an AI assistant taking notes during your next Zoom call
