Once the Enigma loader is executed, it begins the process of registering and downloading the second-stage payload. This malware is constantly being developed, so the attacker can use the logging server to improve its performance. The downloader, written in C++, is called Exe and its main purpose is to download, deobfuscate, decompress, and launch the secondary payload. To avoid detection, the malware uses API hashing, string encryption, and irrelevant code. To decrypt strings and resolve Windows API hashes, the malware uses the Mw resolveAPI function. This function takes two arguments, the library name index number and the export function name hashed value. The malware also has its own version of GetProcAddress to retrieve the address of functions like LoadLibrary. To track the infection, the malware creates a mutual exclusion object and retrieves the MachineGuid from the registry. It then sends a request to the attacker-controlled Telegram channel to download the next stage binary file. After the file is downloaded, deobfuscated, and decompressed, the malware attempts to elevate its privileges by executing the mw UAC bypass function. If successful, it will exploit CVE-2015-2291 to load the malicious driver and download and execute the third-stage payload. The malware also creates scheduled tasks to establish persistence on the system and accepts commands from the Telegram channel. Finally, the malware downloads and executes the Enigma Stealer, a modified version of an open-source information stealer project. This case shows how modular malware can use highly obfuscated and evasive techniques, as well as continuous integration and delivery principles, to continuously develop malware.
This Cyber News was published on www.trendmicro.com. Publication date: Thu, 09 Feb 2023 11:54:02 +0000