Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Evilnum Group Targets Fintech Companies in Europe

For the past two years, a threat group tracked as Evilnum has been observed targeting financial technology companies, mainly ones located in the European Union and the U.K., ESET reports.

For the past two years, a threat group tracked as Evilnum has been observed targeting financial technology companies, mainly ones located in the European Union and the U.K., ESET reports.

The adversary became known for the use of Evilnum malware, which was initially identified in 2018, but has expanded its toolset with malicious programs purchased from a malware-as-a-service (MaaS) provider named Golden Chickens.

Evilnum is focused on espionage, looking to harvest financial information from victim companies, including documents containing customer lists and investment and trading information, presentations, credentials for trading applications, browser data, email login information, customer credit card data, and even VPN configurations.

Spear-phishing is used as the initial attack vector, with the victim enticed into accessing a Google Drive link to a ZIP file that contains LNK (shortcut) files to extract and execute JavaScript code while displaying a decoy document (usually a photo of an ID, credit card, or a bill to prove the physical address).

ESET believes that the hackers are using documents collected during their current operations to facilitate new attacks in which decoy documents seem genuine.

The JS script would deploy additional malware, including a C# spyware and Golden Chickens and Python-based applications. Each component has its dedicated command and control (C&C) server and operates independently from the others. Components are installed via manual commands, and post-compromise tools are launched manually if needed.

The initial JavaScript also acts as a backdoor, if needed, although to date it has been used only to deploy additional components. Several variants of the script were observed since May 2018, with differences ranging from updated server-side code for the C&C, support for different commands, the ability to upload files to the C&C, and the addition of Python scripts and external tools.

“Despite the differences, the core functionalities remain the same in all versions, including the retrieval of the C&C server’s address from GitHub, GitLab or Reddit pages created specifically for that purpose,” ESET notes.

Advertisement. Scroll to continue reading.

The C# component features an MSI file (Windows Installer), can run independent of the JavaScript (although it is downloaded after the script’s initial access) and has a different C&C. The latest variant can take screenshots, run commands and files, send information to the server, and achieve persistence.

Based on the received commands, the malware can stop its process and remove persistence, move the mouse to take a screenshot, and send Chrome cookies and saved passwords to the server. Operators can also run additional commands using the Command Prompt.

Golden Chickens components used in Evilnum attacks are from the TerraLoader family. Deployed through manual commands sent to the JS or C# components, these tools include More_eggs, TerraPreter (a Meterpreter payload), TerraStealer (also known as SONE or Stealer One), and TerraTV.

According to ESET, older versions of these components were previously seen in a FIN6 attack on eCommerce merchants. The Cobalt Group is also known to leverage Golden Chickens tools, but the security researchers note that the three adversaries are different groups.

Evilnum also relies on various other post-compromise components, including Python-based tools (a reverse shell over SSL script, an SSL proxy, LaZagne, and IronPython), and publicly available tools (PowerShell scripts such as Bypass-UAC and NirSoft utilities, including Mail PassView and ProduKey).

“This group targets fintech companies that provide trading and investment platforms for their customers. The targets are very specific and not numerous. This, and the group’s use of legitimate tools in its attack chain, have kept its activities largely under the radar. […] We think this and other groups share the same MaaS provider, and the Evilnum group cannot yet be associated with any previous attacks by any other APT group,” ESET concludes.

Related: Backdoor Targets U.S. Companies via LinkedIn

Related: New Kaspersky Tool Helps Attribute Malware to Threat Actors

Related: Nine Distinct Threat Groups Targeting Industrial Systems: Dragos

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.