ESET tracked down Evilnum hackers. The cybercriminals have been active since 2018 and are attacking financial technology companies with advanced persistent threats (APT). Aside from the group’s predilection for fintech goals, little has been researched about the group’s tools, techniques, or potential connections to other cyber attackers. According to the ESET research team, Evilnum has focused on targets in Europe and the UK, although some victims are also in Australia and Canada.
As with many cyberattackers who specialize in financial goals, the goal is to infiltrate corporate networks, obtain credentials, and steal valuable financial information that can then either be used for fraudulent purchases or sold in large quantities to other criminals.
Evilnum’s attack vector follows the pattern of approaching the target with spear-phishing emails. While standard phishing emails are often used in “spray and pray” tactics, these messages use social engineering and contain information that makes the emails seem real to technical support representatives and customer service representatives.
The emails contain a link to a .zip file that is onDrive is hosted. After extraction, malicious .LNK files result in decoy documents that appear to be files related to Know Your Customer (KYC) data, e.g. B. Copies of driving licenses or invoices with proof of address.
However, these documents then launch a series of malicious attacks to compromise corporate networks. Evilnum’s toolset has evolved in recent years and now includes custom malware – including the Evilnum malware family – as well as hacking tools acquired by Golden Chickens, a group that ESET reports as malware-as-a -Service (MaaS) provider who also includes FIN6 and Cobalt Group among its customers.
These tools include ActiveX components (OCX files) that contain TerraLoader, a dropper for other malware that is made available to Golden Chickens customers, such as the back door More_eggs, a suite for the hijacking of DLL search orders and a sophisticated program for remote access.
“We believe that FIN6, Cobalt Group and Evilnum Group are not the same, despite the overlap in their tool sets. They just happen to share the same malware as a service (MaaS) provider, ”remarked ESET.
When a victim opens a bait document, Evilnum malware, Python-based tools, or Golden Chicken components are launched. Each tool has a connection to a separate command-and-control (C2) server and works independently of one another, whether for information theft, persistence, the use of additional malware or other malicious functions.
Evilnum’s main payload focuses on theft, including everyone on Google-Browser stored account credentials as well as cookies, and becomes infected systems according to credit card information, identification documents, customer lists, investment and trading documents, software licenses and – Search configurations.
The researchers have associated the group with a variety of fintech-based attacks, but do not believe that this is sufficient to link them to any other APT at the moment.
“The goals are very specific and not numerous,” explains ESET. “This and the use of legitimate tools in the group’s attack chain have largely kept its activities hidden. We were able to join the dots and find out how the group works, revealing some overlaps with other known APT groups. We believe that these and other groups use the same MaaS provider, and the Evilnum group cannot yet be linked to previous attacks by another APT group. ”