According to ESET telemetry data, the team Evilnum has focused its attacks on financial technology companies. Most targets are in the European Union and the United Kingdom, however, ESET has identified other attacks in Australia and Canada.
The team Evilnum closely monitors its candidate objectives in order to gather financial information concerning the company and its customers.
"While the malware Evilnum has been identified “in the wild” since at least 2018, the information that has been published about the team behind malware and how it works are minimal, "said Matias Porolli, ESET researcher leading the team research Evilnum. "The set of tools and infrastructure it uses has evolved and now consists of a combination of improvised malware and tools purchased from Golden Chickens, the provider malware-as-a-Service (MaaS) whose malicious customers include the FIN6 and Cobalt Group teams "he adds.
The Evilnum steals sensitive information, credit card and address information and credentials, spreadsheets and documents with customer lists, investment and transaction documents, software licenses and credentials for transaction software and platforms, email information, and other data. The team has also gained access to information related to IT infrastructure, such as VPN configurations.
"The team is approaching its targets with phishing emails that contain a link to a .zip file hosted on Google Drive. "This file contains a lot of shortcut files that extract and execute a malicious item while displaying a bait document," explains Porolli.
These documents appear to be authentic, and are constantly being collected during the group's malicious operations as they try to reach new victims. The team Evilnum targets technical support agents and account managers, who regularly receive identification and credit card documents from their customers.
As with many malware, commands can be sent to malware Evilnum. Among other things, there are commands for collecting and sending passwords stored in Google Chrome, collecting and sending Google Chrome cookies, downloading screenshots, stopping it malware and subtraction.
"The Evilnum It bases its operation on important infrastructures, which include several different servers for different forms of communication, ”concludes Porolli.