Home Malware Programs Malware EnigmaSpark

EnigmaSpark

Posted: March 20, 2020

EnigmaSpark is a backdoor Trojan that provides features for helping attackers spy on and control the infected PC. Its deployment patterns suggest a notable emphasis on political targets in the Middle East, such as entities involved in Palestinean peace plans. Windows users should inspect incoming documents for possible security issues and let their anti-malware solutions remove EnigmaSpark immediately when possible.

Hacking Protection Becomes a Hacking Enabler

An ironic theme isn't a frequent participant in high-level cyber-espionage campaigns, but a new Trojan with old handlers is becoming the exception that proves the rule. EnigmaSpark, a flexible backdoor Trojan with highly-specific victims, is taking advantage of packing from the Enigma Protector program for protecting itself from detection, analysis, and removal. Further details in its code structure and behavior do more than lightly suggest its administrators are part of the Molerats: a Middle Eastern threat actor with access to high-level threats like the JhoneRAT Remote Access Trojan.

Like JhoneRAT, EnigmaSpark provides full-featured attacks against the user's PC, albeit with a set of keyword-based features. The backdoor Trojan may let an attacker open or upload files, download and install more threats, or change system settings at will. Meanwhile, the code-packing that Enigma Protector offers will help with hiding the Trojan from sight.

However, the above isn't highly unexpected for well-designed cyber-recon software. EnigmaSpark is more interesting for the degree to which it goes for compromising targets with a high degree of specificity. It takes note of the target's keyboard layout, with a preference for Arabic ones, and users Trojan droppers for its installation that, invariably, arrive through Arabic-language, malicious documents. The contents of the documents include everything from military field reports to news reports on political meetings, with the topic of focus, almost always, being peace talks regarding Palestine.

Dousing the Spark of Misleading Social Engineering

EnigmaSpark's campaign is well-organized and uses creative elements like Google Drive hosting and fake network communication labels (the HTTP posts for its Command & Control requests pretend that the host is Cnet.com). Infections also come with few or no symptoms once the Trojan establishes itself. Despite these details, victims can protect themselves and their networks by avoiding the well-known infection methods that EnigmaSpark uses.

Although EnigmaSpark's installation documents are well-crafted, they include macro requests requiring the reader's consent. Refusing consent for activating the macros, as is part of most modern word processors, will keep the drive-by-download from triggering. Malware experts also advise heavily installing patches for related software and scanning e-mail attachments with suitable security products before opening them.

Many strings and components of EnigmaSpark include elements that are noted by the cyber-security industry in samples of previous Trojans and RATs. Users with up-to-date anti-malware protection have reasonable chances of deleting EnigmaSpark on sight before the attacker begins abusing it.

What commands like 'LaineybUL' and 'ReaganSA' mean to a backdoor Trojan is a mystery for resolving, but EnigmaSpark's aspirations are political blatantly. Entities in the Middle East, whether business-based or otherwise, will have to keep their guards up for a new spy in their ranks, arriving through easily-downloadable documents.

Loading...