On July 9, 2020, details were released regarding the operations of the Evilnum advanced persistent group (APT) behind the Evilnum malware that was previously seen in a spear-phishing campaign against financial technology companies. According to ESET’s telemetry, the targeted financial technology companies that offer platforms and tools for online trading were from Australia, Canada, the United Kingdom, and other European countries. The main objective of the threat actors is to spy on its targets and obtain financial information from both the targeted companies and their customers. Security researchers at ESET reveal that the threat actors typically attempt to obtain the following types of data data: documents with customer lists, investments, trading operations, internal presentations, software licenses, and credentials for trading platforms. Additionally, the threat actors also sought to steal cookies and session information from browsers, email credentials, and customer credit card information.
According to ESET, the Evilnum also acts as a backdoor and handles communications with the command-and-control (C2) server whereas the C# components take the other task, including taking screenshots, the theft of sensitive data, and exfiltrating data to the attacker-controlled server. The attackers then use a number of additional Golden Chicken tools, such as Terra_Loader and more_eggs, which perform anti-debugging techniques and prevent execution in sandboxed environments. Post-compromise, the group deploys a series of Python-based tools to take capture screenshots, steal credentials, perform key-logging, and collect sensitive data.
Nuspire recommend the following mitigation to prevent the risk of this campaign.
– Use Next-Gen Antivirus Software and keep it updated
– Use a Password Manager to prevent the keylogging feature of the malware
– Keep operating system patches up-to-date
– Provide phishing and social engineering awareness training to the employees.
The following indicators of compromise (IOCs) are associated with this campaign: