EVILNUM, an advanced and persistent threat community with the bulk of targets in EU countries and the United Kingdom, has also noticed threats in countries such as Australia and Canada. According to ESET’s telemetry, the EVILNUM group’s priorities are financial technology firms – for example, businesses that provide online exchange services and resources.
EVILNUM malware was the first variant detected and published in 2018. Palo Alto published the second edition, targeting a finance technology company (FinTech).
Evilnum’s toolset has evolved in recent years and now contains custom malware — including the Evilnum malware family — and hacking software bought from Golden chickens. According to the ESET company, Malware-as-a-Service (MaaS) provider, which also contains FIN6 and Cobalt Company among its customers.
SNAPSHOT of the Attack
When the link is opened, the user installs a compressed folder loaded with trojanized files (using copies of a driving license or bills with proof of address) that masquerades as PDFs and JPEGs. These files present themselves to the end-user as obviously harmless decoys, all while running silently in the background. This decoy documents tend to be genuine and have been compiled by the group over many years of operation.
The malware operators manually send commands to install additional components and use post-compromise scripts and software where they find it appropriate. This component achieves persistence via the Run registry key and has complete backdoor capabilities: it can download and execute binaries, run arbitrary commands or upload files to the C&C server from the victim’s computer.
The key aim of the EVILNUM Community is to spy on its targets and to collect financial information from both the target firms and their clients such as Customer lists, savings and business activities spreadsheets and records, Software licenses and credentials, Sensitive information like Cookies and session details, Email credential, Customer’s credit card records and verification of address/identity documentation.
One way to defend against this hazard is to uninstall shortcut files from Microsoft on high-risk devices that communicate with untrusted parties daily. These high-risk computers can also be segmented within the network to discourage attackers from laterally spreading once they have been infected. To search for suspicious links to the IP addresses connected with virtual private servers, we suggest regularly checking network logs.