Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Evilnum Hacking Group Updates TTPs Targeting Fintech

Group Now Uses MS Office Word Documents to Deliver Payload
Evilnum Hacking Group Updates TTPs Targeting Fintech
Evilnum APT group attacks coincide with the Russia-Ukraine conflict. (Source: ISMG)

Evilnum, a hacking group primarily targeting fintech firms in the U.K. and Europe, has updated its tactics, techniques and procedures by using MS Office Word documents, leveraging document template injection to deliver the malicious payload to victims' machines.

See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation

In earlier campaigns in 2021, the main distribution vector used by this threat group was LNK files - a type of shortcut used in Windows and sent inside malicious archive files as email attachments in spear-phishing emails to victims.

Zscaler's ThreatLabz researchers say that they have identified several previously undocumented domains associated with the Evilnum advanced persistent threat group; they say that this indicates the group has been successful at flying under the radar and has remained undetected for a long time.

Security researchers discovered Evilnum in 2018 when it was found to be using spear-phishing emails and social engineering techniques to target the financial services sector, particularly companies dealing with trading and compliance in the U.K. and Europe.

In March 2022, Zscaler researchers say they observed the group targeting an intergovernmental organization that deals with international migration services, which they describe as a significant update in the choice of targets of the Evilnum APT group.

The researchers also saw that the timeline of the attack and the nature of the attack coincided with the Russia-Ukraine conflict.

Updated Technique

The APT actors gain initial access to devices and networks by delivering malicious documents using a spear-phishing email campaign. Upon successfully delivering the malicious document, the targeted victim downloads and opens the document, which fetches the second-stage macro template from the domain hosted by the attackers.

The researchers say that this prompts users to enable the macro content in a displayed decoy content.

The second-stage template, the researchers say, contains the key malicious macro code.

"Macro-based documents used in the template injection stage leveraged VBA code stomping technique to bypass static analysis and also to deter reverse engineering," the researchers say. "This technique destroys the original source code and only a compiled version of the VBA macro code (also known as p-code) is stored in the document."

Sample decoy document (Source: Zscaler)

In the next stage, heavily obfuscated JavaScript is used to decrypt and drop the payloads on the endpoint.

"The JavaScript configured a scheduled task to run the dropped binary. This JavaScript has significant improvements in the obfuscation technique compared to the previous versions used by EvilNum APT group. The names of all the file system artifacts created during the course of execution were chosen carefully by the threat actor to spoof legitimate Windows and other legitimate third party binaries' names," the researchers say.

The researchers also spotted that the APT group registered multiple domain names using specific keywords related to the industry vertical targeted in each new instance of the campaign.

They observed that the threat actors achieved persistence via Scheduled Tasks, adding, "During JavaScript execution, a scheduled task with the name "UpdateModel Task'' will be created to execute the dropped loader binary with required command-line arguments."

Backdoor Capabilities

Backdoors installed in the victims' infected devices are capable of performing tasks such as decrypting backdoor configurations, resolving API addresses from libraries retrieved from the configuration and conducting mutex check.

They are also able to create a data exfiltration string to send as a portion of the beacon request, encoding and encrypting the string with Base64 and embedding this string inside the cookie header field.

Once these tasks are completed, the backdoor chooses a C2 domain and a route string and sends out a beacon request. The C2 may even respond with a fresh encrypted payload, the researchers say.

The backdoors can take screenshots and send them to the C2 server via POST requests, which result in an encrypted format of data exfiltration.

The researchers say they are not certain about the origins of Evilnum, but they say its choice of victims points to a state-backed interest in cyberespionage campaigns.

Previous Campaigns

In a previous campaign, Evilnum expanded its campaigns to other countries, including Canada and Australia, security firm Eset reported (see: APT Group Targets Fintech Companies).

In one of its campaigns in 2020, Evilnum deployed a remote access Trojan that Cybereason researchers called PyVil. It's written in the Python programming language and includes keylogging, taking screenshots of infected devices and exfiltrating data. The Trojan can also deploy other malicious tools, such as the LaZagne malware, to steal credentials, Cybereason said (see: Evilnum Hackers Change Tactics for Targeting Fintech Firms).

A Kaspersky report in August 2020 found links between the malware that Evilnum hackers use and variants that have targeted other organizations (see: Hacking-for-Hire Group Expands Cyber Espionage Campaign).

These connections led Kaspersky researchers to conclude that Evilnum might belong to another hacking group called "DeathStalker," which is known to target smaller law firms and financial institutions.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.