In this campaign, the suspected Russian threat actors use several highly obfuscated and underdevelopment custom loaders in order to infect those involved in the cryptocurrency industry with Enigma stealer (detected as TrojanSpy.MSIL.ENGIMASTEALER.YXDBC), which is a modified version of the Stealerium information stealer.

Special payloads were designed to steal credentials related to cryptocurrency-related software and services. The malware creates a custom loader that is used to decrypt and run the main malicious module.

Once the malware has successfully infected a system, it exfiltrates a large number of HTTP cookies and details about other software installed on the system.

These stolen details are then sent back to the Command & Control (C&C) server as plaintext, which allows threat actors supporting this campaign to steal cryptocurrency from users by logging into websites or online services in their name, such as cryptocurrency exchanges and wallet sites.

Symantec CTO considers the use of cryptocurrency as a threat to the society. The reasons are: (1) money laundering and financing terrorism, (2) tax evasion and tax fraud, (3) speculation, and (4) illicit investment or purchases.

The Symantec CTO is also worried about how cryptocurrency exchanges in the wild that were operating outside of the law were being used for money laundering operations at large scale.

‍

Source: Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs - AlienVault - Open Threat Exchange