On July 9, 2020, details were released regarding the operations of the Evilnum advanced persistent group (APT) behind the Evilnum malware that was previously seen in a spear-phishing campaign against financial technology companies. According to ESET’s telemetry, the targeted financial technology companies that offer platforms and tools for online trading were from Australia, Canada, the United Kingdom, and other European countries. The main objective of the threat actors is to spy on its targets and obtain financial information from both the targeted companies and their customers. Security researchers at ESET reveal that the threat actors typically attempt to obtain the following types of data data: documents with customer lists, investments, trading operations, internal presentations, software licenses, and credentials for trading platforms. Additionally, the threat actors also sought to steal cookies and session information from browsers, email credentials, and customer credit card information.
The attack starts by sending emails that contain a link to a zip file hosted on Google Drive. This zip file contains several “. LNK” shortcut files pretending to be an image or a document. When the victim opens the file, a malicious JavaScript component identified as “Evilnum” will be executed. From there, it will write and open a decoy file with the same name as the shortcut with the correct extension then it deletes the LNK files. The Evilnum also deploys the other malware that the Evilnum operators purchased from other threat actors, including code written in C# from the malware-as-a-service provider Golden Chickens. Additionally, the Evilnum operators also use Python-based tools, such LaZagne, IronPython, pysoxy, among others.
According to ESET, the Evilnum also acts as a backdoor and handles communications with the command-and-control (C2) server whereas the C# components take the other task, including taking screenshots, the theft of sensitive data, and exfiltrating data to the attacker-controlled server. The attackers then use a number of additional Golden Chicken tools, such as Terra_Loader and more_eggs, which perform anti-debugging techniques and prevent execution in sandboxed environments. Post-compromise, the group deploys a series of Python-based tools to take capture screenshots, steal credentials, perform key-logging, and collect sensitive data.
Nuspire recommend the following mitigation to prevent the risk of this campaign.
– Use Next-Gen Antivirus Software and keep it updated
– Use a Password Manager to prevent the keylogging feature of the malware
– Keep operating system patches up-to-date
– Provide phishing and social engineering awareness training to the employees.
The following indicators of compromise (IOCs) are associated with this campaign:
IP Addresses:
139.28.37[.]63
139.28.39[.]165
185.62.190[.]89
185.61.137[.]141
185.62.189[.]210
176.107.176[.]237
45.9.239[.]50
185.20.186[.]75