Hackers in the Evilnum group have developed a toolset that combines custom malware, legitimate utilities, and tools bought from a malware-as-a-service (MaaS) provider that caters for big fintech threat actors.
The group has been active since at least 2018 and focuses on companies from the financial technology sector that offer trading and investment platforms.
Taking a shortcut
Its targets are both companies and their customers, the objective being to steal financial information. An investigation into Evilnum’s activity from cybersecurity company ESET reveals that they’re looking for the following type of data:
- spreadsheets and documents with investment and trading operations
- internal presentations
- licenses and credentials for trading software
- cookies and session info from Google Chrome
- email logins
- customer credit card data and proof of identity
Mix of custom, MaaS, and public tools
Evilnum sets up a solid operation where several malicious components run independently and connect to different command and control (C2) servers to receive commands and post-compromise tools from the hackers.
In a technical report published today, ESET notes that most C2 servers do not have a domain name and are identified only by their IP address. Servers for the Golden Chicken components make an exception.
Another interesting thing is that the C2 addresses are pulled from GitHub, GitLab, and Reddit pages that have been created specifically for this task.
Tools and infrastructure from Golden Chickens MaaS are used by infamous threat groups focusing on the fintech sector, such as FIN6 and Cobalt, and TrickBot, causing an overlap in tactics, techniques and procedures (TTPs).
Last year, cyber intelligence startup QuoIntelligence discovered that Golden Chickens provided seven new tools for reconnaissance, information stealing, ransomware attacks, MBR wiping, and malware loading:
- TerraRecon – reconnaissance tool that looks for specific hardware and software used by companies operating in retail and payment services sectors
- TerraStealer – information stealer, also known as SONE or StealerOne VenomLNK; a malware variant likely generated by a newer version of the VenomKit building kit
- TerraWiper – Master Boot Record (MBR) wiper
- TerraCrypt A ransomware, also known as PureLocker, that can lock files on Windows, Linux, and macOS
- TerraTV. A custom DLL designed to hijack legit TeamViewer applications
- lite_more_eggs. A lite version of more_eggs used as a loader
According to ESET, Evilnum makes extensive use of tools from Golden Chickens, with the TerraLoader dropper. Among the payloads delivered this way is more_eggs, TerraStealer, TerraTV, and TerraPreter (decrypts a Meterpreter instance and runs it in memory).
In the post-compromise arsenal are Python-based tools for reverse shell, SSL proxy, the LaZagne password recovery utility, and IronPython. The toolset is rounded by PowerShell scripts to bypass security controls, and NirSoft utilities for extracting passwords from email clients and Microsoft Office and Windows licenses.
ESET assesses that the small number of specific targets combined with the use of legitimate tools have kept Evilnum activities largely undetected. Frequently updating the malicious components also contributes to the stealth of the operations.
A list with indicators of compromise (IoCs) is available in ESET’s GitHub repository.