Hacker Group Targeting Fintech Companies and Personal Data Has Been Under Radar For Years, NOD32 Developer Finds

News and Analysis
14.07.2020

Researchers from cybersecurity company ESET have published a comprehensive paper on a little-known but apparently quite dangerous advanced persistent threat (APT) group Evilnum. The research outlines the major directions of the group’s attacks and evaluates its threat level.

The company is the developer of a popular antivirus software NOD32, among other things.

According to ESET, Evilnum has been active since 2018. Since then the group has been steadily increasing the scope of its attacks and the number of malicious tools in its arsenal. Today it specializes mainly in stealing sensitive data from corporate networks. The data it steals can later be used for financial machinations or sold to other criminals.

“According to ESET’s telemetry, the targets are financial technology companies – for example, companies that offer platforms and tools for online trading. Typically, the targeted companies have offices in several locations, which probably explains the geographical diversity of the attacks,” the research notes.

Line of Attack

The majority of Evilnum’s targets are situated in the EU and the UK, but individual attacks have also been detected against Australian and Canadian companies.

Some examples of the information this group steals include:

  • Spreadsheets and documents with customer lists, investments, and trading operations
  • Internal presentations
  • Software licenses and credentials for trading software/platforms
  • Cookies and session information from browsers
  • Email credentials
  • Customer credit card information and proof of address/identity documents”

Evilnum can also collect information related to the IT infrastructure of the victim company, such as VPN configurations.

Shady Allegiances

The research revealed that Evilnum is using malware created by a malware-as-a-service group Golden Chickens, that also provides malware to such notorious groups as FIN6 and Cobalt. Yet ESET does not believe these groups share allegiance with any specific government or political movement.

“We believe that FIN6, Cobalt Group, and Evilnum group are not the same, despite the overlaps in their toolsets. They just happen to share the same MaaS provider.”

Modus Operandi

The threat group uses spear-phishing emails to infect devices with Evilnum malware and other malicious scripts. A typical Evilnum attack involves the following steps: a user receives a phishing email with a link to Google Drive, containing a ZIP archive. This archive contains several LNK files that extract and launch a malicious JavaScript component when displaying an infected document.

Archive with LNK files

Archive with LNK files. Source: Welivesecurity 

Malicious LNK Files

Phishing emails are usually disguised as legitimate emails from tech support or customer service officers. Malicious LNK files in turn are disguised as images of credit cards and other identity-confirming documents, as many financial institutions require their clients to provide such data in line with KYC procedures.

The main payload of Evilnum is aimed at collecting various confidential information, including passwords stored in Google Chrome, cookies from Google Chrome, basic information on PC’s configuration and installed programs, It is even capable of saving desktop screenshots when a user moves the mouse cursor. And of course, it can stealthily run commands via cmd.exe.

Conclusion: an Underrated Threat

Researchers conclude that despite the group likely not being closely associated with any big-time players, it is still a major and underrated threat to certain specific parts of the industry:

“This group targets fintech companies that provide trading and investment platforms for their customers. The targets are very specific and not numerous. This, and the group’s use of legitimate tools in its attack chain, have kept its activities largely under the radar.”

by Constantine Golubev

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter

<

Related posts

Tags: , ,