ESET researchers are about to release an in-depth analysis on how Evilnum, the APT group operating behind the malware, operates. According to ESET's telemetry, the targets they are aiming for are financial technology companies - for example platforms or online trading tools. While the companies most affected are from the EU and the UK, ESET has also found a number of breaches in countries such as Australia and Canada. The main objective of the Evilnum group is to spy on chosen victims and obtain financial information from both the targeted companies and their customers.
"We have detected and documented this malware as early as 2018, but so far little has been said about the group behind this malware and how it operates," he explains. Matias Porolli, the researcher of ESET leading the investigation into Evilnum. “Its toolset and infrastructure has evolved and now consists of a mix of custom malware combined with tools purchased from Golden Chickens, a malware-as-a-service provider that other illicit organizations like FIN6 and Cobalt Group for their purchases, ”he adds.
Evilnum steals sensitive information, including credit card data and customer identity documents, spreadsheets with customer lists, investments and trading operations; software licenses and credentials for both software and trading platforms; e-mail access data and other similar information.
The group also managed to steal information from IT departments, such as some VPN configurations.
“Successful companies are hooked with spearphishing emails that contain a link to a zip file uploaded to Google Drive. This archive contains a series of link files that extract and execute malicious components, while the user views a decoy document, "explains Porolli. These documents appear authentic and are constantly updated and used with the aim of luring new victims. They are directed to technical support officers and account managers who regularly receive sensitive information from their customers.
As with other malicious codes, commands can be intercepted by Evilnum. These include those that send Google Chrome's saved passwords, the commands that run screenshots, those that collect and send cookies, those that stop malware and remove persistence, or those that collect and send Google cookies. Chrome to a control server.
“Evilnum exploits large infrastructures for its operations using different servers according to the different types of communication”, concludes Porolli.
For more details on Evilnum malware and the APT group, see the WeLiveSecurity blog "More evil: a deep look at Evilnum and its toolset”.
