Evilnum malware has been identified in the area of its threats cyber security since 2018, with the APT team behind it being linked to a series of attacks targeting financial technology companies (Fintech). However, apart from the fact that Evilnum's hacking team is linked to attacks on Fintech companies, little is known about them. tools, the techniques or possible links of these attacks with other cybercriminals.
ESET researchers have been studying the APT team for a long time, and a few days ago they published an analysis about it. According to investigators, the Evilnum hacking team has focused its attacks on targets located in Europe and the United Kingdom, although some victims are also found in Australia and Canada. As with many cybercriminals targeting financial institutions, the goal of the Evilnum hacking team is to infiltrate corporate networks, gain access credentials, and steal valuable financial information that can either be used for fraudulent purchases or sold to others. criminals.
The logic of the Evilnum team is common. Initially, it approaches the goal with phishing email. These phishing emails then use social engineering and contain information that makes emails look genuine to technical support representatives and account managers. Additionally, emails contain a link to a .zip file hosted on Google Drive. Once extracted, maliciously archives .LNK will lead to my documents resembling files that are supposed to be related KYC. However, these documents will execute a number of malicious elements in order to endanger corporate networks.
Evilnum's tools have evolved in recent years, including now custom malware, including the Evilnum malware family, and pirated tools purchased from Golden Chickens, a team that ESET claims is a Malware-as-a-provider. Service (MaaS), which also contains the hacking groups FIN6 and Cobalt Group among its customers. These tools include, among other things, ActiveX control elements that contain TerraLoader malware. ESET researchers believe that FIN6, Cobalt Group and Evilnum are not the same, but just happen to have the same MaaS provider.
If a victim opens a bait document, they will launch Evilnum malware, Python or Golden Chickens components. Each tool has a link for a separate command-and-control server (C2) and operates independently, with the aim of stealing information, developing additional malicious programs or other malicious functions. The basic Evilnum payload focuses on theft, including any credentials accounts stored in Google Chrome browser, as well as in cookies, and searches for infected systems credit card details, identity documents, customer lists, investment and transaction documents, software licenses and VPN configurations.
Researchers have linked the team to a variety of attacks targeting mostly Fintech companies, but do not think that is enough to link it to an APT team at this time. In particular, ESET states that the objectives are very specific and not numerous. This, combined with the use of the group's legitimate tools in the chain of attacks, have kept its activities largely "low profile". Finally, ESET notes that the Evilnum team and other teams have the same MaaS provider, while the Evilnum team can not yet be associated with previous attacks by any other APT team.