Evilnum has been detected in the wild since 2018 with links made between the advanced persistent threat (APT) group and attacks against financial technology firms.
Beyond the group's taste for Fintech targets, however, little has been explored in terms of the group's tools, techniques, or potential ties to other cyberattackers.
Researchers from ESET have been investigating the APT for some time, and on Thursday, published an analysis of the threat group.
According to the team, Evilnum has focused on targets located in Europe and the United Kingdom, although some victims are also located in Australia and Canada.
As with many cyberattackers that specialize in financial targets, the aim is to infiltrate corporate networks, grab access credentials, and steal valuable financial information that can then either be used for fraudulent purchases or sold on in bulk to other criminals.
Evilnum's preliminary attack vector is a common one: approach the target with spearphishing emails. While standard phishing emails are often used in 'spray and pray' tactics, these messages will utilize social engineering and will contain information that makes the emails appear to be genuine to technical support representatives and account managers.
The emails contain a link to a .zip file hosted on Google Drive. Once extracted, malicious .LNK files will lead to decoy documents that appear to be files relating to Know Your Customer (KYC) data, such as copies of driving licenses or bills with proof of address.
However, these documents will then execute a range of malicious components to compromise corporate networks.
Evilnum's toolset has evolved in recent years and now includes custom malware -- including the Evilnum malware family -- as well as hacking tools purchased from Golden Chickens, a group ESET says is a Malware-as-a-Service (MaaS) provider which also counts FIN6 and Cobalt Group among its clientele.
These tools include ActiveX components (OCX files) containing TerraLoader, a dropper for other malware made available to Golden Chickens customers, such as the More_eggs backdoor, a DLL search order hijacking suite, and a sophisticated remote access program.
"We believe that FIN6, Cobalt Group, and Evilnum group are not the same, despite the overlaps in their toolsets. They just happen to share the same MaaS provider," ESET noted.
If a victim opens a decoy document, the Evilnum malware, Python-based tools, or Golden Chickens components will launch. Each tool has a link to a separate command-and-control (C2) server and operates independently, whether for information theft, persistence, the deployment of additional malware, or other malicious functions.
The main Evilnum payload focuses on theft, including any account credentials saved in the Google Chrome browser as well as cookies, and will scour infected systems for credit card information, ID documents, customer lists, investments and trading documents, software licenses, and VPN configurations.
The researchers have connected the group to a variety of Fintech-based attacks, but do not believe this is enough to link them to any other APT at present.
"The targets are very specific and not numerous," ESET says. "This, and the group's use of legitimate tools in its attack chain, have kept its activities largely under the radar. We were able to join the dots and discover how the group operates, uncovering some overlaps with other known APT groups. We think this and other groups share the same MaaS provider, and the Evilnum group cannot yet be associated with any previous attacks by any other APT group."
Previous and related coverage
- Security researcher identifies new APT group mentioned in 2017 Shadow Brokers leak
- Kaspersky finds new APT targeting the Middle East's industrial sector
- State-sponsored hackers are now using coronavirus lures to infect their targets
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0