The following is a list of API hash values along with the names of functions that have been used in this sample (Please note that the hash value might be different in other variants since the malware author changed some of the constant values in the hash generator function).Ġx11CF0A2 : wininet_InternetGetConnectedStateĠxDC75FF2 : wininet_InternetCheckConnectionAĠx548C5A4 : Rpcrt4_RpcStringBindingComposeWĠx7B0F79F : Rpcrt4_RpcBindingFromStringBindingWĠx7A7DAA0 : Rpcrt4_RpcAsyncInitializeHandleĠxC9FEF5F : kernel32_ExpandEnvironmentStringsWĠx418B4E7E : wininet_AppCacheCheckManifestĠx73861029 : kernel32_BasepSetFileEncryptionCompression The purpose of this technique is to make the process of understanding the code more time-consuming and difficult.įor API Hashing the EnigmaDownloader_s001 uses the following custom MurmurHash: The hash value is then used in the code to call the corresponding API function, rather than using the human-readable name. It involves replacing the human-readable names of functions (such as "CreateMutexW") with a hash value, such as 0x0FD43765A. This technique helps the malware disguise its activities and evade detection. EnigmaDownloader_s001 API Hashing:ĪPI hashing is a technique employed by malware to conceal the utilization of potentially suspicious APIs (functions) from static detection. Please be advised that to enhance code legibility, we have substituted all hashes with the corresponding function names. By understanding this, we can implement an automated system to help us retrieve encrypted data and streamline the analysis process. The malware incorporates multiple tactics to avoid detection and complicate reverse engineering, such as API hashing, string encryption, and irrelevant code.īefore delving into the analysis of "EnigmaDownloader_s001," let's first examine how the malware decrypts strings and resolves hashed Windows APIs. Its primary objective is to download, deobfuscate, decompress, and launch the secondary stage payload. The initial stage of Enigma, Interview, is a downloader written in C++. We have also identified the Amadey C2 panel on 1935614629 which has only one sample (95b4de74daadf79f0e0eef7735ce80bc) communicating with it. Since this malware is under continuous development the attacker potentially uses the logging server to improve malware performance. At each stage the payload sends its execution log to the logging server. The second server 1935614629 is used for DevOps and logging purposes. The first utilizes Telegram for delivering payloads, sending commands, and receiving the payload heartbeat. Once executed, the Enigma loader begins the registration and downloading of the second-stage payload.Įnigma uses two servers in its operation. This file, which also masquerades as a legitimate word document, is designed to lure unsuspecting victims into executing the loader. Security teams and individual users are advised to continuously update the security solutions of their systems and remain vigilant against threat actors who perform social engineering via job opportunity or salary increase-related lures. Stealerium, the original information stealer which serves as the base for Enigma Stealer, is an open-source project written in C# and markets itself as a stealer, clipper, and keylogger with logging capabilities using the Telegram API. In addition to these loaders, the attacker also exploits CVE-2015-2291, an Intel driver vulnerability, to load a malicious driver designed to reduce the token integrity of Microsoft Defender. In this campaign, the suspected Russian threat actors use several highly obfuscated and under-development custom loaders to infect those involved in the cryptocurrency industry with the Enigma Stealer (detected as ), a modified version of the Stealerium information stealer. We recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the cryptocurrency industry to install an information stealer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |