Enigma Stealer, a multi-stage threat, showcases a sophisticated progression in its deployment. It commences by downloading, deobfuscating, and executing secondary and tertiary payloads. The malware’s ultimate form, Stage 4, emerges as an adept information gatherer.
It captures a broad spectrum of sensitive data, including user credentials, tokens, and passwords from renowned browsers and applications like Google Chrome, Microsoft Edge, and Telegram. This intricate process underscores Enigma Stealer’s proficiency in pilfering extensive digital footprints.
Enigma Stealer Overview
Enigma is an information stealer emerged in early 2023. Being a derivative of an open-source Stealerium Stealer, Enigma includes functionality of stealer, clipper and keylogger. Another legacy feature of this malware is the use of Telegram API for connecting to the C2 server.
Enigma malware analysis from VirusTotal
Functionally, the Enigma stealer operates with the primary objective of extracting valuable insights from a designated system. It goes a step further by compromising critical information, including tokens, passwords, and usernames, from a diverse array of sources. Noteworthy targets encompass prominent platforms such as Google Chrome, Microsoft Edge, Microsoft Outlook, Telegram, Signal, and OpenVPN, among others.
| Name | Enigma Stealer |
| Detection | TrojanSpy:Win32/Stealer!MSR (VirusTotal page) |
| Similar Behavior | S1deload, StealDeal |
| Damage | Exploits your hardware to mine cryptocurrencies without your permission. |
Technical analysis of Enigma Stealer
Contrary to other mass-market stealers, Enigma is a multi-stage malware. It’s initial phase is often latched within a file with double-extension trick (.docx.exe or the like). This is a C++-crafted downloader for the following stage. Its fundamental purpose is the sequential execution of downloading, deobfuscating, decompressing, and activating the second-stage payload. The malware adeptly employs an array of strategies aimed at evading detection and confounding reverse engineering endeavors. These tactics encompass API hashing, string encryption, and obfuscation through superfluous code inclusion.
Upon activation, the malware initiates the establishment of a mutual exclusion object (mutex) to establish its presence within the system. Simultaneously, it retrieves the MachineGuid associated with the compromised system from the SOFTWARE\Microsoft\Cryptography\MachineGuid registry entry. This MachineGuid serves as a distinctive identifier, crucial for the malware’s registration of the infected system on its command and control (C&C) server, thereby enabling ongoing monitoring of the infection’s progress.
Stage 2
In order to get the 2nd stage payload, the malware initiates an interesting sequence. It starts by dispatching a request to a Telegram channel under the control of the attacker, utilizing the URL https://api[.]telegram[.]org/bot{token}/getFile to retrieve the specific file_path. This approach is advantageous, rendering the attacker capable of consistent updates while eschewing the need for reliance on fixed filenames. Upon successful completion of the file’s retrieval, along with subsequent deobfuscation and decompression processes, the malware transmits the “bot getted” message to the designated debug server.
At its core, this malware harbors a primary objective: incapacitating Microsoft Defender. It achieves this by orchestrating the deployment of a noxious kernel mode driver, employing the “bring your own vulnerable driver” (BYOVD) methodology. This entails the exploitation of a vulnerability residing within an Intel driver (CVE-2015-2291). This tactical maneuver facilitates the subsequent download and execution of the third-stage payload.
Stage 3 and 4
The inception of the Stage 3 is marked by the introduction of a dedicated downloader module. This module shoulders the responsibility of downlading, decompressing, and executing the final stealer payload within the compromised environment. Notably, the malware remains amenable to commands conveyed through a designated Telegram channel, although the specifics of these commands might exhibit variations across distinct iterations.
Upon initiation, the malware promptly dispatches a “Bot started” message to both the Debug server and the designated Telegram channel. This communication serves as a confirmation of its successful launch. Then, it pulls and runs the Stage 4 payload from the C2.
Stage 4 is an actual Enigma Stealer in its final form. Its outset involves an intricate process of amassing comprehensive system details, thereafter progressing to the extraction of critical user data. The spectrum of pilfered information encompasses user details, tokens, and passwords sourced from an array of prominent web browsers and applications. Among the targeted platforms are Google Chrome, Microsoft Edge, Microsoft Outlook, Telegram, Signal, and OpenVPN, to name a few.
This advanced iteration of Enigma Stealer extends its capabilities further by capturing screenshots and extracting content from the clipboard, in addition to acquiring VPN configurations. This holistic approach underscores the malware’s sophisticated design, enabling it to amass a wealth of sensitive information for the malevolent actor’s benefit.
Spreading ways of Enigma Stealer
Enigma Stealer dissemination employs a malicious RAR archive dispatched via phishing emails or social media platforms. This archive encompasses “Interview questions.txt” and “Interview conditions.word.exe,” with file names subject to variation. The latter is an executable, beguiling recipients into activating the loader, resulting in Enigma information stealer contamination of their systems. The .txt version of the file looks like this:
Leave a Comment