ESET researchers have released their in-depth analysis into the operations of Evilnum, the APT group behind the Evilnum malware. According to ESET’s telemetry, the targets are financial technology companies – for example, platforms and tools for online trading. Although most of the targets are located in EU countries and the UK, ESET has also seen attacks in countries such as Australia and Canada. The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers.
“While this malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates,” says Matias Porolli, the ESET researcher leading the investigation into Evilnum. “Its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service provider whose infamous customers include FIN6 and Cobalt Group,” he adds.
Evilnum steals sensitive information, including customer credit card information and proof of address/identity documents; spreadsheets and documents with customer lists, investments and trading operations; software licenses and credentials for trading software/platforms; email credentials; and other data. The group has also gained access to IT-related information, such as VPN configurations.
“Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several shortcut files that extract and execute a malicious component, while displaying a decoy document,” elaborates Porolli. These decoy documents seem genuine, and they are continuously and actively collected in the group’s current operations as they try to compromise new victims. It targets technical support representatives and account managers, who regularly receive identity documents or credit cards from their customers.
As with many malicious codes, commands can be sent to Evilnum malware. Among those are commands to collect and send Google Chrome saved passwords; take screenshots; stop the malware and remove persistence; and collect and send Google Chrome cookies to a command and control server. “Evilnum leverages large infrastructure for its operations, with several different servers for different types of communication,” concludes Porolli.