ESET researchers have published an in-depth analysis of the activity of the Evilnum cybercrime group, the APT (advanced persistent threat) group behind the Evilnum malware.
According to the data telemetryof ESET, the Evilnum group has focused its attacks on financial technology companies. Most of the targets are in the European Union and the United Kingdom, however, ESET has also detected other attacks in Australia and Canada. 
The Evilnum Group closely monitors its candidate targets to gather financial information about the company and its customers.
"While Evilnum malware has been detected 'in the wild' since at least 2018, the information that has been published about the team behind the malware and how it works is minimal," said Matias Porolli, ESET researcher who leads research for the Evilnum group. "All of the tools and infrastructure it uses have evolved and now consist of a combination of improvised malware and tools purchased from Golden Chickens, the Malware-as-a-Service (MaaS) malware provider whose groups include malicious customers. FIN6 and Cobalt Group "he adds.
Evilnum steals sensitive information, credit card and address information and identity information, spreadsheets and documents with customer lists, investment and transaction documents, software licenses and credentials for trading software and platforms, email information, and other data. The team has also gained access to information related to IT infrastructure, such as VPN configurations.
“The group reaches its targets with phishing emails that contain a link to a .zip file hosted on Google Drive. This file contains several shortcut files that extract and execute a malicious component while displaying a decoy document,” explains Porolli.
These writings appear to be authentic, and were collected continuously during duration of the group's malicious operations as thanks to them they will try to reach new victims. The Evilnum team is targeting tech reps supportand account managers, who regularly receive documents with identification and credit card information from their customers.
As with many malware, commands can be sent to the Evilnum malware. Among other things there are commands to collect and send passwords stored in Google Chrome, collect and send Google Chrome cookies, take screenshots, stop malware and remove.
"Evilnum bases its operation on important infrastructures, which include several different servers for different forms of communication," concludes Porolli.
For more technical details about Evilnum malware and the APT team, visit related blogpost in WeLiveSecurity.
