For the past two years, a threat group tracked as Evilnum has been observed targeting financial technology companies, mainly ones located in the European Union and the U.K., ESET reports.
The adversary became known for the use of Evilnum malware, which was initially identified in 2018, but has expanded its toolset with malicious programs purchased from a malware-as-a-service (MaaS) provider named Golden Chickens.
Evilnum is focused on espionage, looking to harvest financial information from victim companies, including documents containing customer lists and investment and trading information, presentations, credentials for trading applications, browser data, email login information, customer credit card data, and even VPN configurations.
Spear-phishing is used as the initial attack vector, with the victim enticed into accessing a Google Drive link to a ZIP file that contains LNK (shortcut) files to extract and execute JavaScript code while displaying a decoy document (usually a photo of an ID, credit card, or a bill to prove the physical address).
ESET believes that the hackers are using documents collected during their current operations to facilitate new attacks in which decoy documents seem genuine.
The JS script would deploy additional malware, including a C# spyware and Golden Chickens and Python-based applications. Each component has its dedicated command and control (C&C) server and operates independently from the others. Components are installed via manual commands, and post-compromise tools are launched manually if needed.
The initial JavaScript also acts as a backdoor, if needed, although to date it has been used only to deploy additional components. Several variants of the script were observed since May 2018, with differences ranging from updated server-side code for the C&C, support for different commands, the ability to upload files to the C&C, and the addition of Python scripts and external tools.
“Despite the differences, the core functionalities remain the same in all versions, including the retrieval of the C&C server’s address from GitHub, GitLab or Reddit pages created specifically for that purpose,” ESET notes.
The C# component features an MSI file (Windows Installer), can run independent of the JavaScript (although it is downloaded after the script’s initial access) and has a different C&C. The latest variant can take screenshots, run commands and files, send information to the server, and achieve persistence.
Based on the received commands, the malware can stop its process and remove persistence, move the mouse to take a screenshot, and send Chrome cookies and saved passwords to the server. Operators can also run additional commands using the Command Prompt.
Golden Chickens components used in Evilnum attacks are from the TerraLoader family. Deployed through manual commands sent to the JS or C# components, these tools include More_eggs, TerraPreter (a Meterpreter payload), TerraStealer (also known as SONE or Stealer One), and TerraTV.
According to ESET, older versions of these components were previously seen in a FIN6 attack on eCommerce merchants. The Cobalt Group is also known to leverage Golden Chickens tools, but the security researchers note that the three adversaries are different groups.
Evilnum also relies on various other post-compromise components, including Python-based tools (a reverse shell over SSL script, an SSL proxy, LaZagne, and IronPython), and publicly available tools (PowerShell scripts such as Bypass-UAC and NirSoft utilities, including Mail PassView and ProduKey).
“This group targets fintech companies that provide trading and investment platforms for their customers. The targets are very specific and not numerous. This, and the group’s use of legitimate tools in its attack chain, have kept its activities largely under the radar. […] We think this and other groups share the same MaaS provider, and the Evilnum group cannot yet be associated with any previous attacks by any other APT group,” ESET concludes.
Related: Backdoor Targets U.S. Companies via LinkedIn
Related: New Kaspersky Tool Helps Attribute Malware to Threat Actors
Related: Nine Distinct Threat Groups Targeting Industrial Systems: Dragos