ESET researchers published an in-depth analysis of the activity of the Evilnum cybercriminal group, the APT group (know more persistent threat) behind the Evilnum malware.
According to ESET telemetry data, the Evilnum team has focused its attacks on financial technology companies. Most targets are in the European Union and the United Kingdom, however, ESET has identified other attacks in Australia and Canada.
The Evilnum Group closely monitors its prospective targets to raise finance information concerning the company as well as its customers.
"While the Evilnum malware has been spotted 'in the wild' since at least 2018, the information that has been published about the team behind the malware and how it works is minimal," said Matias Porolli, the ESET researcher who leads the researchs for the Evilnum team. “The toolset and infrastructure it uses have evolved and now consist of a combination of homegrown malware and tools purchased from Golden Chickens, the Malware-as-a-Service (MaaS) provider whose malicious clients include the groups FIN6 and Cobalt Group" he adds.
Evilnum steals sensitive information, credit card and address information and identity information, spreadsheets and documents with customer lists, investment and transaction documents, software licenses and credentials for trading software and platforms, email information, and other data. The team has also gained access to information related to IT infrastructure, such as VPN configurations.
“The group reaches its targets with phishing emails that contain a link to a .zip file hosted on Google Drive. This file contains several shortcut files that extract and execute a malicious component while displaying a decoy document,” explains Porolli.
These documents appear to be authentic, and are constantly being collected during the group's malicious operations as they try to reach new victims. The Evilnum team targets technical support agents and account managers, who regularly receive ID and credit card documents from their customers.
As with many malware, the commands μπορούν να αποσταλούν στο malware Evilnum. Μεταξύ άλλων υπάρχουν εντολές για τη συλλογή και αποστολή των κωδικών πρόσβασης (passwords) που είναι αποθηκευμένα στο Google Chrome, συλλογή και αποστολή Google Chrome cookies, λήψη screenshots, διακοπή του malware και αφαίρεση.
"Evilnum bases its operation on important infrastructures, which include several different servers for different forms of communication," concludes Porolli.
For more technical details about Evilnum malware and the APT team, visit related blogpost in WeLiveSecurity.