ESET researchers expose Evilnum malware operations

In News

ESET researchers expose the operations of Evilnum, the APT group behind the Evilnum malware. According to ESET’s telemetry, the targets are financial technology companies – for example, platforms and tools for online trading.

Although most of the targets are located in EU countries and the UK, ESET has also seen attacks in countries such as Australia and Canada. The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers.

“While this malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates,” says Matias Porolli, the ESET researcher leading the investigation into Evilnum. “Its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service provider whose infamous customers include FIN6 and Cobalt Group,” he adds.

Evilnum steals sensitive information, including customer credit card information and proof of address/identity documents; spreadsheets and documents with customer lists, investments and trading operations; software licenses and credentials for trading software/platforms; email credentials; and other data. The group has also gained access to IT-related information, such as VPN configurations.

“Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several shortcut files that extract and execute a malicious component, while displaying a decoy document,” elaborates Porolli. These decoy documents seem genuine, and they are continuously and actively collected in the group’s current operations as they try to compromise new  victims. It targets technical support representatives and account managers, who regularly receive identity documents or credit cards from their customers. 

 As with many malicious codes, commands can be sent to Evilnum malware. Among those are commands to collect and send Google Chrome saved passwords; take screenshots; stop the malware and remove persistence; and collect and send Google Chrome cookies to a command and control server.

“Evilnum leverages large infrastructure for its operations, with several different servers for different types of communication,” concludes Porolli.

Comments

You may also read!

Five indicators that ascertain an impending ransomware attack

Peter Mackenzi, Global Malware Escalations Manager,Sophos, highlights the five indicators that point to an impending ransomware attack on any

Read More...

ESET to highlight KrØØk and Stantinko at Black Hat USA 2020

ESET, will highlight its latest research during Black Hat USA 2020. ESET researchers Robert Lipovský, Štefan Svorenčík and Vladislav

Read More...

Actionable DDoS Weapons Intelligence: a proactive way to successfully defend against DDoS attacks

Ehab Halablab, Regional Sales Director – Middle East at A10 Networks, emphasizes on the need to deploy Actionable DDoS

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu