Researchers with the Slovakia-based anti-virus and firewall company ESET released a detailed report about tactics and malware used by the cyber-criminal threat group known as Evilnum, named after the custom malware that the group is known to use. The Evilnum malware was given that name by researchers at Palo Alto Networks based on the fact that it obtained the address of its Command and Control (C2) server by taking an embedded number and dividing it by 666 to get the IP address in decimal format. ESET pointed out that evidence suggests the malware authors call it “Marvel” but to avoid confusion, the name Evilnum is still used for the malware and the threat group. The threat actors target global companies in the Financial Technology (FinTech) vertical, and their corporate espionage goals include theft of spreadsheets, documents, internal presentations, customer and investment information, and of course, credentials and session cookies to take over accounts. Like many other threat groups, the initial attack vector is usually through targeted email delivered with links to malware hosted on a cloud service provider. Evilnum often uses Google Drive links to deliver a zip file to targeted employees, avoiding network detection and blocking. If the targeted person opens the zip file, the files inside appear to be harmless images of customer verification documents such as ID cards, but are actually Windows shortcut (.lnk) files that will invisibly write a JavaScript file and execute it on the system before opening the picture file, so that nothing appears wrong to the target other than perhaps receiving some ID verification photos they weren’t expecting. The JavaScript code is a fully featured Remote Access Trojan (RAT) that can log keystrokes, upload and download files, and persist across reboots through the registry. It contacts GitHub, GitLab or Reddit to obtain the IP address of its C2 server. The JavaScript RAT is often used to download additional components such as a C# RAT that uses a different persistence mechanism and a different C2 server for added resiliency, in case the JavaScript component is detected and removed by defenders. The C# malware can take screenshots on the victim computer but relies on the JavaScript component to upload them. The C# component also cleans up any Windows shortcut files left over by the JavaScript component, demonstrating that the two pieces of malware were designed to work together. The Evilnum group also makes use of malware-as-a-service such as the TerraLoader family, which is advertised on criminal forums by a threat group known as “Golden Chickens.” These additional components are also delivered by the JavaScript or C# components.
Analyst Notes
Network defenders and threat hunters should study the threat group’s techniques and evaluate whether existing security controls are capable of detecting this activity. Email with links to Google Drive and downloads from Google servers are not suspicious in most environments, but JavaScript executing that writes to the CurrentVersionRun keys in the registry might be out of place and can be inspected if defenders are aware of those events. Detecting details of script-based malware such as this requires Endpoint Detection and Response (EDR) tools that can monitor process hierarchy information and registry activity, and can only be put to practical use if security analysts are monitoring the events and detections from the EDR systems around the clock and respond by investigating to discover information about the threat.
For more information and detailed indicators of compromise, please see ESET’s report: https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
