Evilnum hackers use the same malware supplier as FIN6, Cobalt

Hackers in the Evilnum group have developed a toolset that combines custom malware, legitimate utilities, and tools bought from a malware-as-a-service (MaaS) provider that caters for big fintech threat actors.

The group has been active since at least 2018 and focuses on companies from the financial technology sector that offer trading and investment platforms.

Taking a shortcut

Its targets are both companies and their customers, the objective being to steal financial information. An investigation into Evilnum’s activity from cybersecurity company ESET reveals that they’re looking for the following type of data:

  • spreadsheets and documents with investment and trading operations
  • internal presentations
  • licenses and credentials for trading software
  • cookies and session info from Google Chrome
  • email logins
  • customer credit card data and proof of identity

Attacks begin with spearphishing emails containing .LNK shortcut files pretending to be an image or a document (double extension). When the victim user opens it, a malicious JavaScript component executes and opens a decoy file with the same name as the shortcut; then it deletes the .LNK file.

The role of the JavaScript component (also referred to as Evilnum) is also to deploy other malware like the Evilnum spying module, malware from the Golden Chickens MaaS, and multiple Python-based tools.

Another component written in C#, which is the malware that gave the Evilnum name of the group because version 1.3 from May 2018 calculated the C2 address by dividing to 666 a numerical value from a public web page, has similr functionality with the first-stage JavaScript. The developers call it Marvel and in April they were using version 4.0.

Mix of custom, MaaS, and public tools

Evilnum sets up a solid operation where several malicious components run independently and connect to different command and control (C2) servers to receive commands and post-compromise tools from the hackers.

In a technical report published today, ESET notes that most C2 servers do not have a domain name and are identified only by their IP address. Servers for the Golden Chicken components make an exception.

Another interesting thing is that the C2 addresses are pulled from GitHub, GitLab, and Reddit pages that have been created specifically for this task. 

Tools and infrastructure from Golden Chickens MaaS are used by infamous threat groups focusing on the fintech sector, such as FIN6 and Cobalt, and TrickBot, causing an overlap in tactics, techniques and procedures (TTPs).

Last year, cyber intelligence startup QuoIntelligence discovered that Golden Chickens provided seven new tools for reconnaissance, information stealing, ransomware attacks, MBR wiping, and malware loading:

  • TerraRecon – reconnaissance tool that looks for specific hardware and software used by companies operating in retail and payment services sectors
  • TerraStealer  information stealer, also known as SONE or StealerOne VenomLNK; a malware variant likely generated by a newer version of the VenomKit building kit
  • TerraWiper – Master Boot Record (MBR) wiper
  • TerraCrypt A ransomware, also known as PureLocker, that can lock files on Windows, Linux, and macOS
  • TerraTV. A custom DLL designed to hijack legit TeamViewer applications
  • lite_more_eggs. A lite version of more_eggs used as a loader

According to ESET, Evilnum makes extensive use of tools from Golden Chickens, with the TerraLoader dropper. Among the payloads delivered this way is more_eggs, TerraStealer, TerraTV, and TerraPreter (decrypts a Meterpreter instance and runs it in memory).

In the post-compromise arsenal are Python-based tools for reverse shell, SSL proxy, the LaZagne password recovery utility, and IronPython. The toolset is rounded by PowerShell scripts to bypass security controls, and NirSoft utilities  for extracting passwords from email clients and Microsoft Office and Windows licenses.

ESET assesses that the small number of specific targets combined with the use of legitimate tools have kept Evilnum activities largely undetected. Frequently updating the malicious components also contributes to the stealth of the operations.

A list with indicators of compromise (IoCs) is available in ESET’s GitHub repository.

Source: BleepingComputer

Leave a Reply